Electron and security

Hello!

I am very intrigued by the capabilities of Obsidian and it is great to see how fast the project evolves.

But as I am very picky in what app I install on my devices I feel a little bit queasy about Obsidian being an electron app.

I have to admit, that I am not a programmer and I have no knowledge in programming or hacking. But after reading somewhere that Obsidian is an electron app I wondered what this means and I started to read about electron on the web. Of course it is nice to be able to develop the app for different OS with ease.

But I found a lot of sites mentioning that an electron app is a potential security risk simply by being, well an electron app…

https://arstechnica.com/information-technology/2019/08/skype-slack-other-electron-based-apps-can-be-easily-backdoored/

https://openfin.co/blog/is-electron-a-security-risk/

https://wojciechregula.blog/post/abusing-electron-apps-to-bypass-macos-security-controls/

https://www.theregister.com/2020/08/31/slack_app_electron_bug_squashed/

with this quote: *Asked about whether Electron apps can be secure, he said, “It’s not that it can’t be done. It can. But for a long time, Electron has had a bunch of insecure defaults.”

Developers who built their apps using Electron defaults, he said, generally don’t want to refactor their apps to make them secure because that’s a lot of work. “You can lock it down but no app does it that way,” he said.*

Only to name a few.

And this tweet:

https://twitter.com/justinschuh/status/1300089336944230400?s=20

May I ask if my concerns are not valid and exaggerated in your eyes? What do you think of this? Would be great to read some thoughts of more seasoned programmer or security conscious people here!

Especially great would to hear from the Dev Team about the security measures they took.

Thank you very much!

3 Likes