We recently announced that Finsemble, our desktop integration platform, supports Electron as the base layer of its tech stack.
Ensuring that Finsemble on Electron achieved impeccable security standards took substantial effort. For Electron developers or information professionals evaluating Finsemble, this blog post explains our security methodology step-by-step.
What is Electron?
Electron allows web apps to be installed on the desktop rather than displayed in a browser. Hence, it is sometimes called “container” technology.
It’s likely that the majority of icons that live on your desktop are actually Electron apps. Slack, Spotify, Skype, and thousands of other applications use Electron to gain desktop real estate. Electron is vibrant, free, and open-source. It is also becoming quietly ubiquitous (read more in this article).
Electron allows us to build desktop technology using modern web development techniques. However, when building on the desktop we must ensure our application’s security meets or surpasses the web’s rigorous security standards.
What is the concern?
In general, web browsers provide strong security nets. This is because browsers are restrictive, limiting everything except that which you explicitly allow. The browser’s “sandbox” isolates web content from your operating system. A web application does not have the ability to read/write files on your machine because the browser is protecting your desktop.
Electron is not a browser and doesn’t follow the same rules. Electron is permissive. It allows everything except what you explicitly restrict. Desktop applications are generally allowed to read your files or run native code. While this allows for a feature-rich user experience, it also introduces security concerns.
The main security concerns center around third-party content. When an Electron app allows web content to be loaded that originates from outside of an organization, care must be taken to ensure that this third-party content cannot become a bad actor either accidentally or intentionally.
How do we secure Finsemble?
Our security approach begins with a small Electron application we call the Secure Electron Adapter (which is now a FINOS-hosted open-source project). SEA bootstraps Finsemble, launches its desktop services, and displays Finsemble’s assets.
Secure Electron Adapter:
- Implements the Electron community’s security recommendations
- Firewalls the Electron API
- Provides a permissioning API and security profiles
Implement security recommendations
Secure Electron Adapter implements Electron’s extensive security recommendations. Crucially, it ensures that for every Finsemble application, sandboxing is turned on and node integration is turned off.
By sandboxing, code run by SEA behaves exactly as it would in a web browser. It cannot make changes to the machine or access confidential information, except in the specific ways that you define in your Content Security Policy. The Content Security Policy sets expectations for the behavior your application will perform and provides appropriate channels for those actions. For example, if your application needs to display pop-up notifications, these must be explicitly allowed.
Sandboxing is important because it limits unsafe interactions between the application and the user’s machine.
Firewall the Electron API
Secure Electron Adapter goes a step beyond the Electron community’s recommendations by “wrapping” the Electron API as a security layer. This means that windows launched by Secure Electron Adapter cannot directly access the Electron API. Instead, they access a secure API exposed by Secure Electron Adapter which then serves as an intermediation layer.
Intermediation is when a message broker routes, translates, and evaluates messages. It provides an additional chokepoint for security purposes. Without an intermediation layer, a web app launched in one window would be able to make API calls directly to web apps in other windows.
By firewalling the Electron API, windows send messaging calls to Secure Electron Adapter instead of directly to each other. This architecture ensures that windows are insulated from each other, communicating only through well-defined, intermediated messaging APIs.
Firewalling the Electron API is important because it limits unsafe interactions between windows.
Permissions and security profiles
At the same time, we don’t want to limit developers by completely denying them access to Electron’s capabilities. To this end, we provide the Permissions API to enable access to parts of the Electron API by way of Secure Electron Adapter.
Secure Electron Adapter’s Permissions API gives developers granular control over how applications employ Electron’s powers. For example, applications can be given the optional abilities to preload content, open windows, respond to Electron events, and much more.
To make this manageable, we provide the ability to set up security profiles. Security profiles are the logical grouping of permissions. Applications or services can be given “trusted”, “untrusted” or custom security profiles. A developer defines which permissions are in a security profile.
Permissions are important because they provide Electron capabilities in a safe way.
Should I use Electron for my desktop applications?
If you have a single-page web application and you’re careful to observe the appropriate security practices, Electron is a powerful tool that brings your web app to the desktop.
However, Electron is primarily designed for single-page apps with trusted content. Finsemble supercharges your application by adding the security and architecture necessary to build multi-window, multi-monitor, mixed-content applications. If you’re looking to assemble a workstation comprised of a multitude of windows and widgets, Finsemble is the solution of choice for both speed and security.