2021-12-03 17:49:10 -05:00
<!--
2021-12-06 06:03:10 -05:00
Title: How to audit source code of proprietary Electron app
Description: Learn how to audit source code of proprietary Electron app.
2021-12-03 17:49:10 -05:00
Author: Sun Knudsen < https: / / github . com / sunknudsen >
Contributors: Sun Knudsen < https: / / github . com / sunknudsen >
Reviewers:
Publication date: 2021-12-03T19:50:28.298Z
Listed: true
-->
2021-12-06 06:03:10 -05:00
# How to audit source code of proprietary Electron app
[](https://www.youtube.com/watch?v=s4S7qgCkVCc "How to audit source code of proprietary Electron app")
2021-12-03 17:49:10 -05:00
## Requirements
2022-04-27 09:30:49 -04:00
- Computer running macOS Big Sur or Monterey or disposable [Tails USB flash drive or SD card ](../how-to-install-tails-on-usb-flash-drive-or-sd-card )
2021-12-03 17:49:10 -05:00
## Caveats
- When copy/pasting commands that start with `$` , strip out `$` as this character is not part of the command
## macOS guide
### Step 1: install [Homebrew](https://brew.sh/)
```console
$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
$ uname -m | grep arm64 & & echo 'export PATH=$PATH:/opt/homebrew/bin' >> ~/.zshrc & & source ~/.zshrc
```
### Step 2: disable Homebrew analytics
```shell
brew analytics off
```
### Step 3: install dependencies
```shell
brew install node tree
```
### Step 4: extract source code
> Heads-up: replace `QR\ Bridge.app` with Electron app one wishes to audit.
```console
$ npx asar extract /Applications/QR\ Bridge.app/Contents/Resources/app.asar ~/Desktop/source
npx: installed 17 in 6.041s
```
### Step 5 (optional): list files
```console
$ tree ~/Desktop/source -I node_modules
/Users/sunknudsen/Desktop/source
├── LICENSE
├── README.md
├── app
│ ├── confirmation.wav
│ ├── index.html
│ ├── preload.js
│ ├── renderer.js
│ └── style.css
├── icon.ai
├── main.js
├── package.json
└── qr-bridge.code-workspace
1 directory, 11 files
```
### Step 6: audit app
> Heads-up: `code` is a command line utility that opens file or folder in [Visual Studio Code](https://code.visualstudio.com/).
> Heads-up: **please respect license**… being able to audit app does not mean app (including its source code) should be considered public domain.
```shell
code ~/Desktop/source
```
### Step 7: check if app calls home
Use application-layer firewall such as [Little Snitch ](https://www.obdev.at/products/littlesnitch/index.html ) or [Lulu ](https://objective-see.com/products/lulu.html ).
👍
2022-03-21 10:05:48 -04:00
## Tails guide
2021-12-03 17:49:10 -05:00
### Step 1: boot to Tails and set admin password (required to run commands using `sudo`)
> Heads-up: if keyboard layout of computer isn’
2022-02-18 10:41:53 -05:00
Click “+” under “Additional Settings”, then “Administration Password”, set password, click “Add” and, finally, click “Start Tails”.
2021-12-03 17:49:10 -05:00
### Step 2: import [Node.js](https://nodejs.org/en/)’
```shell
torsocks curl -fsSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | gpg --dearmor | sudo tee /usr/share/keyrings/nodesource.gpg > /dev/null
```
### Step 3: enable Node.js’
2022-03-02 07:06:05 -05:00
> Heads-up: run `cat /etc/debian_version` to find Debian version.
2021-12-03 17:49:10 -05:00
#### Debian 10 (buster)
```console
$ echo -e "deb [signed-by=/usr/share/keyrings/nodesource.gpg] tor+https://deb.nodesource.com/node_16.x buster main\ndeb-src [signed-by=/usr/share/keyrings/nodesource.gpg] tor+https://deb.nodesource.com/node_16.x buster main" | sudo tee /etc/apt/sources.list.d/nodesource.list > /dev/null
$ sudo apt update
```
#### Debian 11 (bullseye)
```console
$ echo -e "deb [signed-by=/usr/share/keyrings/nodesource.gpg] tor+https://deb.nodesource.com/node_16.x bullseye main\ndeb-src [signed-by=/usr/share/keyrings/nodesource.gpg] tor+https://deb.nodesource.com/node_16.x bullseye main" | sudo tee /etc/apt/sources.list.d/nodesource.list > /dev/null
$ sudo apt update
```
### Step 4: find Node.js version
```console
$ sudo apt-cache madison nodejs
nodejs | 16.13.1-deb-1nodesource1 | tor+https://deb.nodesource.com/node_16.x buster/main amd64 Packages
nodejs | 12.22.7~dfsg-2 | tor+https://cdn-fastly.deb.debian.org/debian sid/main amd64 Packages
nodejs | 12.22.5~dfsg-2~11u1 | tor+https://cdn-fastly.deb.debian.org/debian bullseye/main amd64 Packages
nodejs | 10.24.0~dfsg-1~deb10u1 | tor+https://cdn-fastly.deb.debian.org/debian buster/main amd64 Packages
nodejs | 10.24.0~dfsg-1~deb10u1 | tor+https://cdn-fastly.deb.debian.org/debian-security buster/updates/main amd64 Packages
```
### Step 5: install dependencies
> Heads-up: replace `nodejs=16.13.1-deb-1nodesource1` with version found at [step 4](#step-4-find-nodejs-version).
```shell
sudo apt install -y nodejs=16.13.1-deb-1nodesource1 tree
```
### Step 6: extract “resources” directory from AppImage
> Heads-up: replace `qr-bridge.AppImage` with Electron app one wishes to audit.
```console
$ ./qr-bridge.AppImage --appimage-extract resources
squashfs-root/resources
squashfs-root/resources/app-update.yml
squashfs-root/resources/app.asar
```
### Step 7: extract source code
> Heads-up: ignore torsocks warnings (if present).
```console
$ torsocks npx asar extract squashfs-root/resources/app.asar ~/Desktop/source
Need to install the following packages:
asar
Ok to proceed? (y) y
```
### Step 8 (optional): list files
```console
$ tree ~/Desktop/source -I node_modules
/home/amnesia/Desktop/source
├── app
│ ├── confirmation.wav
│ ├── index.html
│ ├── preload.js
│ ├── renderer.js
│ └── style.css
├── icon.ai
├── LICENSE
├── main.js
├── package.json
├── qr-bridge.code-workspace
└── README.md
1 directory, 11 files
```
### Step 9: audit app
> Heads-up: **please respect license**… being able to audit app does not mean app (including its source code) should be considered public domain.
Audit source code using “Text Editor”.
👍
