How to audit source code of proprietary Electron app
Requirements
- Computer running macOS Big Sur or Monterey or disposable Tails USB flash drive or SD card
Caveats
- When copy/pasting commands that start with
$, strip out$as this character is not part of the command
macOS guide
Step 1: install Homebrew
$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
$ uname -m | grep arm64 && echo 'export PATH=$PATH:/opt/homebrew/bin' >> ~/.zshrc && source ~/.zshrc
Step 2: disable Homebrew analytics
brew analytics off
Step 3: install dependencies
brew install node tree
Step 4: extract source code
Heads-up: replace
QR\ Bridge.appwith Electron app one wishes to audit.
$ npx asar extract /Applications/QR\ Bridge.app/Contents/Resources/app.asar ~/Desktop/source
npx: installed 17 in 6.041s
Step 5 (optional): list files
$ tree ~/Desktop/source -I node_modules
/Users/sunknudsen/Desktop/source
├── LICENSE
├── README.md
├── app
│ ├── confirmation.wav
│ ├── index.html
│ ├── preload.js
│ ├── renderer.js
│ └── style.css
├── icon.ai
├── main.js
├── package.json
└── qr-bridge.code-workspace
1 directory, 11 files
Step 6: audit app
Heads-up:
codeis a command line utility that opens file or folder in Visual Studio Code.
Heads-up: please respect license… being able to audit app does not mean app (including its source code) should be considered public domain.
code ~/Desktop/source
Step 7: check if app calls home
Use application-layer firewall such as Little Snitch or Lulu.
👍
Tails guide
Step 1: boot to Tails and set admin password (required to run commands using sudo)
Heads-up: if keyboard layout of computer isn’t “English (US)”, set “Keyboard Layout”.
Click “+” under “Additional Settings”, then “Administration Password”, set password, click “Add” and, finally, click “Start Tails”.
Step 2: import Node.js’s PGP public key
torsocks curl -fsSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | gpg --dearmor | sudo tee /usr/share/keyrings/nodesource.gpg > /dev/null
Step 3: enable Node.js’s repository
Heads-up: run
cat /etc/debian_versionto find Debian version.
Debian 10 (buster)
$ echo -e "deb [signed-by=/usr/share/keyrings/nodesource.gpg] tor+https://deb.nodesource.com/node_16.x buster main\ndeb-src [signed-by=/usr/share/keyrings/nodesource.gpg] tor+https://deb.nodesource.com/node_16.x buster main" | sudo tee /etc/apt/sources.list.d/nodesource.list > /dev/null
$ sudo apt update
Debian 11 (bullseye)
$ echo -e "deb [signed-by=/usr/share/keyrings/nodesource.gpg] tor+https://deb.nodesource.com/node_16.x bullseye main\ndeb-src [signed-by=/usr/share/keyrings/nodesource.gpg] tor+https://deb.nodesource.com/node_16.x bullseye main" | sudo tee /etc/apt/sources.list.d/nodesource.list > /dev/null
$ sudo apt update
Step 4: find Node.js version
$ sudo apt-cache madison nodejs
nodejs | 16.13.1-deb-1nodesource1 | tor+https://deb.nodesource.com/node_16.x buster/main amd64 Packages
nodejs | 12.22.7~dfsg-2 | tor+https://cdn-fastly.deb.debian.org/debian sid/main amd64 Packages
nodejs | 12.22.5~dfsg-2~11u1 | tor+https://cdn-fastly.deb.debian.org/debian bullseye/main amd64 Packages
nodejs | 10.24.0~dfsg-1~deb10u1 | tor+https://cdn-fastly.deb.debian.org/debian buster/main amd64 Packages
nodejs | 10.24.0~dfsg-1~deb10u1 | tor+https://cdn-fastly.deb.debian.org/debian-security buster/updates/main amd64 Packages
Step 5: install dependencies
Heads-up: replace
nodejs=16.13.1-deb-1nodesource1with version found at step 4.
sudo apt install -y nodejs=16.13.1-deb-1nodesource1 tree
Step 6: extract “resources” directory from AppImage
Heads-up: replace
qr-bridge.AppImagewith Electron app one wishes to audit.
$ ./qr-bridge.AppImage --appimage-extract resources
squashfs-root/resources
squashfs-root/resources/app-update.yml
squashfs-root/resources/app.asar
Step 7: extract source code
Heads-up: ignore torsocks warnings (if present).
$ torsocks npx asar extract squashfs-root/resources/app.asar ~/Desktop/source
Need to install the following packages:
asar
Ok to proceed? (y) y
Step 8 (optional): list files
$ tree ~/Desktop/source -I node_modules
/home/amnesia/Desktop/source
├── app
│ ├── confirmation.wav
│ ├── index.html
│ ├── preload.js
│ ├── renderer.js
│ └── style.css
├── icon.ai
├── LICENSE
├── main.js
├── package.json
├── qr-bridge.code-workspace
└── README.md
1 directory, 11 files
Step 9: audit app
Heads-up: please respect license… being able to audit app does not mean app (including its source code) should be considered public domain.
Audit source code using “Text Editor”.
👍