Electron
- Reading time: 8 minutes - |
In a nutshell:
“Electron” is a development environment for applications, which are then ultimately embedded in an “own” browser.
Advantage: Practical - An app as a browser, works virtually everywhere.
Disadvantage: Potential for attack - overloaded, large memory requirements, not barrier-free.
There are a lot of applications implemented with Electron: Atom, DeltaChat desktop, Discord desktop, Element desktop, Mattermost desktop, Signal desktop, Slack desktop, Threema desktop, Visual Studio, WhatsApp desktop etc.
Below is more on the criticism of the undisputedly very successful development platform.
Accessibility
Electron is not accessible (“accessible”), which means, for example, that visually impaired people are disadvantaged.
Injecting a Chromium Add-On in to Electron
As a blind user, I am having problems using Electron apps with the Orca screenreader for Linux. This is because Chromium, my primary browser, doesn’t support using Orca by default. It does, however, have an extension called ChromeVox to serve as a screenreader. Since both Chrome and Chromium use this screenreader, and Electron uses Chrome to function, I wonder if it then is possible to “inject” the ChromeVox screenreader in to my apps. I use inject losely, as there are some apps that I can’t readily get access to the source code of; Spotify and Slack serve as primary examples. Does anyone have some experience in this matter?
Source: Reddit (2017)
Security and privacy
Electron is more or less a complete Chrome browser with a built-in additional function (the app). So basically Electron apps are not really apps but a Chrome browser with only one tab, namely the app. That means, for each Electron App you install yourself a complete Chrome browser.
It virtually pretends a cleanly developed program for the respective operating system by actually bundling only the web application in Chrome. Actually, you could then use the regular web application of the app right away.
Problem:
Due to the complexity of browsers, the attack surface is correspondingly larger than with classic programs/apps.
It is also more common with Electronapps that the developers keep their software up to date, but do not regularly update the Electronframework used. Often there are weeks or months between the used and available electron versions. However, no one acting responsibly would not update their browser for months, whether Chromium, Firefox or any other browser. Unfortunately, some developers think differently when it comes to Electronapps.
However, regular updates are elementary important to close security gaps.
An impressive example can be found at debian (external).
**Electron is therefore neither recommended for security reasons nor for reasons of data economy (data protection).
If apps focus on “security” and boast about it - but use Electron at the same time, this clashes a bit. Some therefore recommend not to run Electron applications directly, but exclusively isolated, e.g. in a “sandbox”. Also, according to the Free Software Directory (external) Electron is non-free software.
Very good article on the subject: 'Electron apps have a dangerous Achilles heel'.
Skype, Slack, VS Code, Atom: Electron apps have a dangerous Achilles heel
Programs based on the Electron framework can be Trojanized by local attackers and misused as attack platforms.
At the BSides Las Vegas security conference, Pavel Tsakalidis of security firm Context disclosed a vulnerability in GitHub's Electron software development framework that can be used to backdoor Electron apps and inject them with malicious code. Although the attacker needs local access to a system for this - attacks from afar are therefore difficult - simple user rights are sufficient under Windows. The Electron framework forms the basis for GitHub's text editor Atom and Microsoft's Visual Studio Code. The messengers Skype, WhatsApp, Signal, Wire, Cryptocat, Discord and Slack also use it for their desktop apps. The desktop clients of GitHub and Twitch are also potentially affected.
Electron is popular mainly because it allows developers to be present with one version of their app on Windows, macOS and Linux simultaneously. It is based on JavaScript and Node.js and stores application data in an archive format called ASAR, among other things. And this is exactly where the vulnerability is, which Tsakalidis has now made public. The ASAR archives of an Electron app are neither encrypted nor digitally signed. This allowed the security researcher to develop a Python tool called BEEMKA, which he can use to unpack these archives and manipulate the code they contain. This results in an attacker being able to hide malicious code in legitimate processes of the app. On macOS and Linux, BEEMKA requires administrator rights to do this; on Windows, logging in as a normal user is sufficient.
Access to the file system and the webcam
The code smuggled into the original apps can access the system's webcam and the local file system. Since the operating system trusts the app - which is usually signed with a valid certificate from the developer - an attacker could thus read sensitive data on the system. In one video, Tsakalidis shows how a Trojanized version of the password manager Bitwarden reveals passwords, which Tsakalidis' code could then send to any Web server. In addition, the security researcher showed in his presentation how a manipulated version of Visual Studio Code could leak the contents of any open code tab to the Internet. This could be used to spy on the trade secrets of software developers, for example.
According to Tsakalidis, the vulnerability also allows code to be injected into internal processes of the Electron framework. For example, its built-in Chrome extensions. For example, an attacker could bypass certificate checks and eavesdrop on Electron apps' HTTPS-encrypted communications. Also, an attacker could quietly manipulate Electron apps' update features so that their malicious code is not overwritten by a new app version.
Electron sees no reason to act
According to Tsakalidis, Electron developers know about the problem because Electron developers have asked in the past in the open source project's bug tracker to cryptographically secure the ASAR archives. These requests had been blocked by the responsible project developers. Tsakalidis said that Electron had not responded to his attempts to contact them prior to the release. The project has also not yet responded to inquiries from heise online. The security researcher fears that, in addition to the local attacks he described, it is also possible to foist manipulated Electron apps on other users. At least under macOS, however, the Gatekeeper security function would have to detect the Δchanges to the app and sound the alarm.
In a discussion in the Electron bug tracker, Tsakalidis explains how he originally discovered the gap. As part of a Red Team, he was tasked with anchoring malicious code on a system (security researchers also refer to this as persistence) in the network of one of his security firm's clients. The Red Team accomplished this with a Powershell exploit they hid in the ASAR files of the company's Slack messenger. "Every time Slack was run at Windows startup, we had access to the internal network again," Tsakalidis said.
Fabian A. Scherschel / (fab) / 09.08.2019 / Source:
https://www.heise.de/security/meldung/Skype-Slack-VS-Code-Atom-Electron-Apps-haben-eine-gefaehrliche-Achilles-Ferse-4493195.html (extern)
More information on the net: