Electron and security

Hello!

I am very intrigued by the capabilities of Obsidian and it is great to see how fast the project evolves.

But as I am very picky in what app I install on my devices I feel a little bit queasy about Obsidian being an electron app.

I have to admit, that I am not a programmer and I have no knowledge in programming or hacking. But after reading somewhere that Obsidian is an electron app I wondered what this means and I started to read about electron on the web. Of course it is nice to be able to develop the app for different OS with ease.

But I found a lot of sites mentioning that an electron app is a potential security risk simply by being, well an electron app…

https://arstechnica.com/information-technology/2019/08/skype-slack-other-electron-based-apps-can-be-easily-backdoored/

https://openfin.co/blog/is-electron-a-security-risk/

https://wojciechregula.blog/post/abusing-electron-apps-to-bypass-macos-security-controls/

https://www.theregister.com/2020/08/31/slack_app_electron_bug_squashed/

with this quote: *Asked about whether Electron apps can be secure, he said, “It’s not that it can’t be done. It can. But for a long time, Electron has had a bunch of insecure defaults.”

Developers who built their apps using Electron defaults, he said, generally don’t want to refactor their apps to make them secure because that’s a lot of work. “You can lock it down but no app does it that way,” he said.*

Only to name a few.

And this tweet:

https://twitter.com/justinschuh/status/1300089336944230400?s=20

May I ask if my concerns are not valid and exaggerated in your eyes? What do you think of this? Would be great to read some thoughts of more seasoned programmer or security conscious people here!

Especially great would to hear from the Dev Team about the security measures they took.

Thank you very much!

6 Likes

hi i was also wondering the same thing and it appears this post hasn’t been answered!

I’m really excited about using obsidian it could be such a game changer for me and looks amazing, but I’m also quite picky about what I install so was just wondering what obsidian’s security was like with the above post/links in mind?¿

(I also have no programmer or development experience so sorry if this question comes across silly! I looked through the whole security and plug-in thread but I don’t think I saw anything related to obsidian itself/electron and the worries highlighted by burningchrome)

any advice would be greatly appreciated :slight_smile:

@moderators

Hey,

The fact that this question didn’t create much traction is perhaps the answer to the question…

Totally understand being picky about what to run (or not to run) on your laptop - and rightfully so!

Running an OS (which is needed) is as big a risk as using electron to build your App upon. That being said.

Why not used a sandboxed environment to try thing out and monitor in and outgoing traffic?

1 Like

Hey Rik,

Thank you for clearing that up for me!

I’m not too sure how to do sandbox environments but I think my mind is fairly settled now in terms of Obsidian being safe, can’t wait to try it!

Also happy new year!

:slight_smile:

Because you can’t monitor the contents of HTTPS-encrypted traffic. You’ll see connections to obsidian.md at best, but have no idea if Obsidian connected there to check for an update, or to phone home your documents.

Pretty suspicious that nobody from the Obsidian team has pitched in yet.

If you’re concerned about security, don’t use a closed-source application. There are other side-by-side Markdown editors that are open source, and do focus on security. Laverna for example.

1 Like