Application made in Electron Framework are insecure?

Question

I am a beginner with Electron, I have good amount of experience with HTML/javascript and window desktop application development(win-forms and WPF). I loved js/HTML5 so much that I wish someone could come up one day with a framework where I can write js/HTML5 to create desktop applications. And now Electron is here.

From what I have read, Atom is one awesome product made using Electron Framework. I heard its good because it is HACKABLE. OK! no problem! Does it mean a desktop application made using Electron framework are insecure, anyone can decode it and use it against the user of my application.

I am asking this because am going to start developing a desktop application and considering Electron an option to develop in.

Also, packaging of the application will run in all three platforms? iOS, Win and Linux? I know I have to take care of the modules I importwhich can be platform specific (for example 'auto-updater')

Answer 1

An Electron app is no less secure than any other application hosted on a person's computer. If a nefarious individual gains access to your computer it really doesn't matter if your application is in Electron, WPF, or any other technology. They can find a way to use the application against the user. Furthermore, most code can be reverse engineered and vulnerabilities exploited. I don't think you have to worry about this. If it were that insecure companies like GitHub (who makes it), Microsoft, and Slack would avoid it.

That being said, if you want to attempt to hide information from the user Electron source code is a little easier to view as it isn't in binary form. You can, for example, go into the app folder for Visual Studio Code which is built on Electron and view/manipulate the source code. I am not sure if the license allows it, but you can do it. There are ways you can mitigate this. You can obfuscate the JavaScript and put it into an ASAR among other things.

I am not sure I understand your final question fully. Electron does indeed run on Windows, Mac (OSX not iOS), and Linux. A package can be downloaded and executed on all three assuming you have the correct modules. As for installation, Squirrel seems to be a popular choice. You're going to need to massage things for each platform. Check out how Visual Studio Code does it for each platform and I would recommend following suit.