How to harden your Electron app

Retour à la liste des conférenciers et sessions
Écoutez la diffusion
Let’s be honest — when you decided to build an Electron app, it wasn’t because of the framework’s stellar reputation for security. Like so many developers before you, you weighed your options and made a practical choice. But now you have to make the best of it and protect your users and their data. Hardening your Electron app is not straightforward, but it is also not impossible. Through a combination of threat modelling, careful separation of concerns, and simply reading the docs, you can achieve the security goals for your app. This talk is about how we built a secure password manager in a framework that’s infamous for being insecure. We’ll look at how the security model for our Electron-based frontend for 1Password, what pitfalls we encountered along the way, and how you can apply what we’ve learned to your own projects. We’ll also reveal our hardened Electron starter kit and invite you to see how it works — and try to break it.

Electron and web apps may never be the first choice for security-conscious developers, but they are an industry reality. We recently faced this dilemma at 1Password when we set out to build the new Linux desktop client for our flagship password manager.

Compromising on security was not an option. At the same time, building a web app was the only practical option. Undeterred, we set out to harden Electron to meet our unique client-side requirements.

I am not going to pretend we made it all the way — no software framework ever will. But we did end up with an app we are proud to call 1Password, and to entrust with our user’s most sensitive data.

I hope to share what we learned so that others in a similar situation will have an easier time. At the same time, I invite the community to see what we’ve built and look at what we’ve gotten right — or wrong.