Skip to content

Add a possibility to create a sealed app #24260

New issue
New issue
Closed
Closed
Add a possibility to create a sealed app#24260
@antelle

Description

@antelle
antelle
opened on Jun 23, 2020

Preflight Checklist

  • I have read the Contributing Guidelines for this project.
  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for a feature request that matches the one I want to file, without success.

Problem Description

Imagine there's an app built on Electron. Using flags and environment variables provided by Electron, it's possible to use this app to run any code, not only what was provided by the app developer. For example:

ELECTRON_RUN_AS_NODE=1 /Applications/Visual\ Studio\ Code.app/Contents/MacOS/Electron

Now my script has a possibility to act as if it was Visual Studio Code.

This poses several security risks:

  • any other app can use the identity of our app, for example, for:
    • reading keychain items using node-keytar module or similar, which must be limited to only one app by design;
    • hiding network activity behind our app and, since nowadays there are a lot of apps build on Electron, it can be an easy way to bypass any firewall;
    • running untrusted code as if it was code signed; there's no need to sign the code, just find another electron app, take its signed binary, create a launcher, and use it;
  • it's very easy to run a modified/patched version the app itself by running some script before the app has a chance to launch its first bit of code; app developers can't be sure if their app has not been modified, which effectively defeats the purpose of code signing, this can be used for:
    • creating patches and cracks for Electron apps;
    • building modified versions of the app with malicious purposes without redistributing a patched binary.

There can be other applications. Overall, this way developers don't have control over code that is executed by the app signed and distributed with their name.

Proposed Solution

I would be happy to see a "hardened" build with these features disabled in production:

  • NODE_OPTIONS
  • ELECTRON_RUN_AS_NODE
  • possibility to provide a path to script that will be executed first

The list may be incomplete and, if the feature is accepted, this should be reviewed by Electron team members, who have more knowledge about possible ways of changing the entry point.

Alternatives Considered

  • build Electron from source with mentioned flags disabled (there are options for that): this is complicated, requires setting up CI, which is a bit hard for an average open-source project
  • let the app decide if overriding the entry point is possible, for example, if the app is requested to run as node, the entry point must be a script in app resources, which can abort the execution or make another decision based on developer's needs.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions