堆栈内存溢出
  简体   繁体   English

保护 Electron 应用程序的最佳实践

[英]Best practice to secure an Electron application

 原文  2020-06-03 01:51:34       javascript/ node.js/ security/ electron/ electron-builder

问题描述

I have an Electron application packaged into an asar file.我有一个 Electron 应用程序打包到一个 asar 文件中。 However, it's mentioned almost everywhere that there's no security at all for that format.但是,几乎到处都提到该格式根本没有安全性。 Everyone can unpack it with npx asar extract app.asar destfolder and access the source code + resources files (certificates, images, audio, everything).每个人都可以npx asar extract app.asar destfolder并访问源代码+资源文件(证书、图像、音频等)。

Which means technically a person can tamper with the code and resources files as much as they want and create fake builds with unwanted code.这意味着从技术上讲,一个人可以随心所欲地篡改代码和资源文件,并使用不需要的代码创建虚假构建。

So what are the best practices to check your application isn't tampered with?那么检查您的应用程序未被篡改的最佳实践是什么? Also, where do you think i should store the private key and the public certificate (i need them to connect to my nodejs server).另外,你认为我应该在哪里存储私钥和公共证书(我需要它们连接到我的 nodejs 服务器)。

Thank you:)谢谢:)

2 个解决方案

解决方案1
 1 已采纳  2020-06-03 07:38:54

The answer is code signing.答案是代码签名。 For the definition of code signing, check the Wikipedia ( https://en.wikipedia.org/wiki/Code_signing ).有关代码签名的定义,请查看 Wikipedia ( https://en.wikipedia.org/wiki/Code_signing )。 For the documentation of the code signing in Electron, check this link https://www.electronjs.org/docs/tutorial/code-signing .有关 Electron 中代码签名的文档,请查看此链接https://www.electronjs.org/docs/tutorial/code-signing

Second, for the additional question, what is the purpose of the private key, and the public certificate of who?其次,对于附加问题,私钥的目的是什么,以及谁的公共证书? And why are you need those things to connect the nodejs server?为什么你需要这些东西来连接 nodejs 服务器?

If you want to protect the communication channel between the application and the server, use HTTPS.如果要保护应用程序和服务器之间的通信通道,请使用 HTTPS。

解决方案2
 0  2023-01-19 20:34:25

You can protect it by native module, Read this article: https://www.codeproject.com/Articles/5352143/Protecting-Electron-Based-Applications-by-Using-a你可以通过原生模块保护它,阅读这篇文章: https://www.codeproject.com/Articles/5352143/Protecting-Electron-Based-Applications-by-Using-a

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如果用户操纵表单ID,则最好的方法是保护它或阻止它? - If user manipulates the form id what is the best practice to secure it or stop this? 使用 node-red-admin 保护 Node-Red electron 应用程序 - Secure Node-Red electron application with node-red-admin 最佳实践 - Electron - 为每个版本有效地切换平台以发布 electron 应用程序? - Best Practice - Electron - Efficiently switch platforms to publish electron app for each release? 在网络聊天应用程序中存储数据的最佳实践 - Best practice for storing data in web chat application Javascript在Rails应用程序中包含标记最佳实践 - Javascript Include Tag Best Practice in a Rails Application .net Web 应用程序的 Javascript 最佳实践 - Javascript best practice with .net Web Application 通过Web应用程序下载文件[最佳做法] - Downloading a file through web application [best practice] 节点的常见日志记录,快速应用 - 最佳实践? - Common logging for node, express application — best practice? 基于 php 条件禁用 html 链接或按钮的安全方法或最佳实践是什么? - What is a secure way or best practice to disable an html link or button based on php conditions? 安全用户认证脚本 electron - secure user authentication script electron
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM