Reputation: 55
Best practice to secure an Electron application
I have an Electron application packaged into an asar file. However, it's mentioned almost everywhere that there's no security at all for that format. Everyone can unpack it with npx asar extract app.asar destfolder and access the source code + resources files (certificates, images, audio, everything).
Which means technically a person can tamper with the code and resources files as much as they want and create fake builds with unwanted code.
So what are the best practices to check your application isn't tampered with? Also, where do you think i should store the private key and the public certificate (i need them to connect to my nodejs server).
Thank you :)
Upvotes: 4
Views: 5858
Answers (2)
Reputation: 11
You can protect it by native module.
Read this article for an example.
Upvotes: 1
Reputation: 91
The answer is code signing. For the definition of code signing, check the Wikipedia (https://en.wikipedia.org/wiki/Code_signing). For the documentation of the code signing in Electron, check this link https://www.electronjs.org/docs/latest/tutorial/code-signing.
Second, for the additional question, what is the purpose of the private key, and the public certificate of who? And why are you need those things to connect the nodejs server?
If you want to protect the communication channel between the application and the server, use HTTPS.
Upvotes: 3
Related Questions
- Electron 'contextBridge'
- Securing Electron app with Keycloak
- Protect contents of Electron app from being stolen
- Secure Node-Red electron application with node-red-admin
- How would I make a backend for my Electron app
- Secure Database Connection in ElectronJS Production App?
- How do I protect a commercial app built with Electron?
- Where to store sensitive data for ElectronJS app?
- How can I open this external app from Electron securely?
- Secure content (huge data) in electron App