[英]Best practice to secure an Electron application
I have an Electron application packaged into an asar file.我有一个 Electron 应用程序打包到一个 asar 文件中。 However, it's mentioned almost everywhere that there's no security at all for that format.
但是,几乎到处都提到该格式根本没有安全性。 Everyone can unpack it with
npx asar extract app.asar destfolder
and access the source code + resources files (certificates, images, audio, everything).每个人都可以
npx asar extract app.asar destfolder
并访问源代码+资源文件(证书、图像、音频等)。
Which means technically a person can tamper with the code and resources files as much as they want and create fake builds with unwanted code.这意味着从技术上讲,一个人可以随心所欲地篡改代码和资源文件,并使用不需要的代码创建虚假构建。
So what are the best practices to check your application isn't tampered with?那么检查您的应用程序未被篡改的最佳实践是什么? Also, where do you think i should store the private key and the public certificate (i need them to connect to my nodejs server).
另外,你认为我应该在哪里存储私钥和公共证书(我需要它们连接到我的 nodejs 服务器)。
Thank you:)谢谢:)
The answer is code signing.答案是代码签名。 For the definition of code signing, check the Wikipedia ( https://en.wikipedia.org/wiki/Code_signing ).
有关代码签名的定义,请查看 Wikipedia ( https://en.wikipedia.org/wiki/Code_signing )。 For the documentation of the code signing in Electron, check this link https://www.electronjs.org/docs/tutorial/code-signing .
有关 Electron 中代码签名的文档,请查看此链接https://www.electronjs.org/docs/tutorial/code-signing 。
Second, for the additional question, what is the purpose of the private key, and the public certificate of who?其次,对于附加问题,私钥的目的是什么,以及谁的公共证书? And why are you need those things to connect the nodejs server?
为什么你需要这些东西来连接 nodejs 服务器?
If you want to protect the communication channel between the application and the server, use HTTPS.如果要保护应用程序和服务器之间的通信通道,请使用 HTTPS。
You can protect it by native module, Read this article: https://www.codeproject.com/Articles/5352143/Protecting-Electron-Based-Applications-by-Using-a你可以通过原生模块保护它,阅读这篇文章: https://www.codeproject.com/Articles/5352143/Protecting-Electron-Based-Applications-by-Using-a
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.