I have an Electron application packaged into an asar file. However, it's mentioned almost everywhere that there's no security at all for that format. Everyone can unpack it with
npx asar extract app.asar destfolder
and access the source code + resource files (certificates, images, audio, everything).
Which means technically a person can tamper with the code and resources files as much as they want and create fake builds with unwanted code.
I want to protect my electron app from tampering by Linux users. Is there any way to do so?
Related
Is there any possibility to encrypt an ASAR package so that possibly malicious actors cannot reverse-engineer my application in virtually no time? So far, I have not found any information on this whatsoever.
In short: no.
Javascript cannot be complied or protected. If your Electron Application is on another computer the source code (or at lest the parts that do not lie on a server) are open to the user.
I have been searching the internet but I couldn't find an answer. I just want to find out if I could use the built HTML.
To make things clear. I created a vue-CLI project. I created a built HTML by running an npm run build.
Running the npm run build will create a dist folder with an index HTML, and its needed resources.
Now I would like to add this in electron. Is this possible?
If your project is client-side html only, then it is ready to go: just use one of the minimal Electron examples, and set your index.html as the start page.
If it is connecting to a back-end server (e.g. to access a database), it can still do that, but it means the application won't be able to run offline.
It is worth considering why you want an Electron app, instead of just having a web app. E.g. Are you hitting any security restrictions or other limitations of a web app, that a desktop app does not have? If not, packaging as an Electron app might just be effort spent on something that no-one wants or needs.
As you've built with vue-cli, it might be worth looking at Quasar Framework which is a wrapper for Vue that comes with Electron and Mobile targets ready to go. You don't actually have to use any of their UI components to get this.
I am building a HTML/JS/CSS application that I would like to distribute packaged either as a NW.js or Electron app. I am new to both, and have read that the packaged executables can be quite large. Since the application would be free, I find that the cost of distributing it from a CDN to be too high.
I was wondering if there was any installer that allowed the "standard" parts of the executable (the Chrome components, etc.) to be downloaded as a shared library from a free CDN, as part of the app's installation / first execution?
With either one, you could host the packages on Github using the "releases" feature, which is free. This is a common approach for a lot of open source Electron applications.
Here are some examples of this being done:
yoda
Caprine
Here is the official documentation on Github releases.
There is a module for Electron designed to make this easy called electron-gh-releases.
We outsourced the development of Blackberry 5, 6, and 7 apps. Please bare in mind that I have absolutely no knowledge of Blackberry development at all.
Development is complete, and they have sent us the source code - a collection of .cod, .csl, .cso, .debug, .jad and .rapc files.
I would at least like to review the code in terms of it's consistency and standards - somewhat a measure of the quality. Clean code is not something specific to any one platform.
I have tried to open each of these files in notepad, but with no source code found.
Please advise me on what I need before I go pay them a visit.
The files you have been given are the files that are created as part of the build of your project and the resultant executable files. There is no source included here.
In a BB OS Build, regardless of the development environment used, the Java source files will all have the suffix .java, and the assets (images etc.) will have a suffix appropriate to the asset (like .png). If you don't see these file suffixes, then you have not been given the actual source. You should be able to view the java files using Notepad, the other files will open in an appropriate application (like paint).
To get the complete source, you should just ask the full 'project' files for your development. This will be a directory with a number of sub directories. The actual names used and the structure will depend on the development tool. If your developer is using Eclipse, then the two important directories are called src for source and res (resources) for the assets. If they are using another development environment, then the directories might have different names. So you should ask them what development environment they are using too.
Two other points:
1) If you are paying for this development and wish to review the code, but are not familiar with Java, then I would recommend that you pay someone to review the code who has knowledge of BB Java. There are two reasons for this:
(a) you will not be able to form a judgement on the appropriateness of the code without some understanding of Java, and
(b) you will not understand if the correct BB Java approaches have been used.
You need to be cautious about this, because programmers will always find fault in other developer's code. The question is how significant the faults are.
2) Some developers might be wary of giving source to their client while some payment is outstanding.
I have an application I've been handed to test, and I'm — shall we say — less than impressed?
I believe the company that built the application for my client didn't build it as an iOS native application; my gut feel is they leveraged one of the multi-target platforms because that's what they're comfortable with. The application's usability is particularly poor, and it just doesn't behave the way an iOS application should.
How can I tell whether this application is native or built on some OS-agnostic platform? Any big give-aways that can tell me?
FWIW, the iPad is the only target platform for this device. It won't need to run anywhere else.
Are you saying that it doesn't have the look and feel of a regular iOS app? It's possible that it has been developed in AIR, HTML5, etc. I don't know if there is much way of doing this without jailbreaking the device.
You could, of course, ask around or post a screenshot and see what others think.
Get the binary out of the device, using softs like DiskAid (free for that part - no jailbreak required), and study it. You may get important infos through a disassembler, such as Hopper, which has support for ARM.
If you can't read assembly, study the application's resources. It may also give you some hints. Again, a software like DiskAid will allow that.
While "some OS-agnostic platform" is a bit broad, there is an easy way to tell if an app was made with PhoneGap, arguably one of the most popular OS-agnostic platforms.
Copy the .ipa file you've been sent (or find it on your filesystem
and copy it).
Rename the copy WhatEverTheAppNameIs.zip.
Extract the zipped folder and open it.
Open the folder named "Payload" (If it isn't already).
Right-click on BlahBlah.app and select "Show Package Contents".
Inspect the bundle.
Check for the presence of a www folder. If it's contents are sizable (compared with the packages contents in general) there's a good chance the whole app was made with PhoneGap.
It's also illuminating to click on the index.html file in the www folder just to see how much of the app runs in desktop Safari.
You may also discover other evidence of OS-agnostic platforms by examining the bundle further.