Concerns about security of electron apps

[ricardovsilva]

I don't know if this is the place to start a discussion about that. But I'm really concerned about the security of electron apps.
As I could see in some PRs, we have a lot of apps in the page of electron that are closed source. And the problem is with the ones that asks for credentials.
For example, I really loved the idea of Biscuit, from @agata , but I'm not convinced at all that I should use this one since no one really reviewed the code.
Let's me exemplify:

• The first time you run biscuit it redirects you to login with your google credentials:
  

And yes, I totally understand that the app needs to do that in order to provide the functionality purposed, BUT, how can I really know or have some kind of trust that the app is not getting any kind of data from me?

My suggestion is to not allow closed source apps that require user to input some kind of secret or that is a browser.

[Sanjit1]

I mean you are right about it, but I feel like it's on the user to care for the security.

[Toinane]

Maybe we can request the version of Electron, it would be a requirement to be accepted here. If the application uses a version below 7.0.0 of Electron, we can refuse it?

[ricardovsilva]

@Sanjit1 a lot of users does not have this kind of knowledge and can be lead to a pitfall to think that every app listed in this repo is safe because it is from electron org.

[ricardovsilva]

@Toinane how the version of Electron influence in the security related to review the code of the app itself? This is a honestly question, I really don't know. Can you, please, clarify?

[Toinane]

@ricardovsilva Because some old version of Electron use old version of Chromium or Node that can have exploit issues ou bugs. In general you should always use a recent and updated version of Electron. cf: electron security.

For example, if I see an open-source app that use 2.3.0 of Electron and (for the example) this version has an exploit issue of Chromium that enable me to get your password and this application need you to connect to your Google account, I'll refuse this application to be added until the developper update his application.

[ricardovsilva]

Another thing that we can do is to put some kind of warning that the app is not open source so security cannot be checked.

[vhashimotoo]

I'm accumulated needed count of mana for writing this answer, so let's figure something
This answer is written only by me and doesn't contain any corrections from other folks.

I would like to start the answer with that the closed-source apps that have required another credential for use are not only an Electron apps problem but can create with any other solution similar to Electron.

I understand that everyone sees in the Electron Apps page as the marketplace/(or and)promotional solution where every app is verified tested and fully secure, but that not even possible due to lack of free time and no resources to do that.

I do the standard check for the application and trust the developer what creates the application, out of dependency if them free-to-use or pay-to-use or open-source or closed-source, on that stage everyone is equal. For closed-source apps we require the evidence that is really using Electron, and not something other.

We can only do the review for apps by screenshots what's the developer is shared with us. If the application looks very suspiciously we don't add that app to our catalog. But that's not mean they not able to share in other places.

As I say before we are unable to know if the application contains any security holes or any other forms of security errors if you think the application what's listed on the Electron Apps page can take the credentials in the non-formal form (phishing or backdoor), you can contact with us using the email info+org@electronjs.org, and we start the investigation and if it's true we remove the app from the catalog.

However, you should be the same care on any sites where you leave your own credentials, that's it's the standard practice of security on the web.

My suggestion is to not allow closed source apps that require user to input some kind of secret or that is a browser.

It's a very big blocker for free distributing/promoting/sharing the app, and that creates the non-competitive environment for distribution app, as an example: "why open source app can be listed but closed-source no, it's not fair".

Also, that comment does not contain any solution what's should be done for a platform official app, like Slack, Discord, Twitch, or Microsoft Teams, what's also use the credentials window for authorizing users. Should be these apps also be removed as they closed-source and requires the credentials for use?

Another thing that we can do is to put some kind of warning that the app is not open source so security cannot be checked.

As I said before, I would like to stay the all apps in equal conditions regardless it's closed-source or open-source code.

I understand that you can think that answer means that we can't don't do anything with that problem, but currently, that should be discussed more for not create the non-competitive place for sharing or promoting apps.

[ricardovsilva]

@HashimotoYT loved your answer and your points are all valid at all!
And indeed, when we use slack, chrome or any others we "trust" that this company is not going to steal our credentials. But in fact nothing guarantee that. And I totally agree that we should not block other closed source projects also.

What do you think about add the source code link as a icon to the ones that are open source, so anyone can check it.
And if is closed-source just list without the octocat icon next to it.

To be honestly, I'm loving the direction that this thread is taking and I really appreciate the effort to give equals chances to big or small softwares

[vhashimotoo]

What do you think about add the source code link as a icon to the ones that are open source, so anyone can check it

However we already have this, you can open the application page and in the sidebar see the Repository field with link to source, if not it's application is closed-source and doesn't contain she.

For example you can check Kube Dev Dashboard app page, what's open source and contain the link to source code, and for closed-source example Discord page, him not contain link to source code.

I'm understant also that the GitHub repository can be used as a issue tracker, mini landing page, or use them for auto updating the app what's create the small confusion, but currently I'm not see in something bad for developers cannot use them.

I thinked about adding the something like issue-tracker-link where developer would add link to GitHub page, but that can create the confusing to developer what's they should include in this field.

[privatedev11]

The electron team could potentially add a feature that means the app has to be open source to be distributed. I know people would probably not do this and publish it elsewhere, but maybe a feature could be implemented that means the electron team can ban apps, and the creator would receive an email about it . Maybe there could be a feature where you have to provide a git repository link, and it has to be from a git site (e.g github or gitlab). If it is a different site that is unknown to the database of trusted git sites, then they can submit a form with the link to the new site. The developers can in turn review it and add it to the database if it is secure.

[ObaidQatan]

Rather than distributng the source code, popping up a "Login" window into the browser would way more reliable...just like we usually for authintication with Github, Heroku, etc. This will work for any sort of authintication that requires internet connection like Google account.