add kaspersky link about electron apps

This commit is contained in:
fria 2024-11-23 20:39:13 -06:00 committed by GitHub
parent ebd9ec1753
commit 89e2d75d83
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -14,7 +14,7 @@ license: BY-SA
The concept of a [Progressive Web App](https://developer.mozilla.org/en-US/docs/Web/Progressive_web_apps) is enticing: an app using web technologies thats inherently cross platform (since it runs in a browser) and acts like a native app, even functioning offline. Support for PWAs in traditionally locked-down platforms like iOS means that PWAs can give users the freedom to install apps without having to go through Apples App Store.<!-- more --> The concept of a [Progressive Web App](https://developer.mozilla.org/en-US/docs/Web/Progressive_web_apps) is enticing: an app using web technologies thats inherently cross platform (since it runs in a browser) and acts like a native app, even functioning offline. Support for PWAs in traditionally locked-down platforms like iOS means that PWAs can give users the freedom to install apps without having to go through Apples App Store.<!-- more -->
Attempts at similar things have been made before, notably the infamous [Electron](https://www.electronjs.org) allows developers to easily create cross-platform apps by essentially bundling the browser in with the app. This approach has its drawbacks, though. Browsers have huge attack surface so it's important to keep them updated, but many Electron apps ship outdated versions, leaving those apps vulnerable. PWAs use the browser that you already have installed, so as long as you keep it updated all your apps will have all the latest security fixes. Attempts at similar things have been made before, notably the infamous [Electron](https://www.electronjs.org) allows developers to easily create cross-platform apps by essentially bundling the browser in with the app. This approach has its [drawbacks](https://usa.kaspersky.com/blog/electron-framework-security-issues/28952/?srsltid=AfmBOor_UcYY-84soHz5K2ULTmhlX44-DsIfJp_StotBrusD63MweSGO), though. Browsers have huge attack surface so it's important to keep them updated, but many Electron apps ship outdated versions, leaving those apps vulnerable. PWAs use the browser that you already have installed, so as long as you keep it updated all your apps will have all the latest security fixes.
So why isn't every app shipping as a PWA? The answer is an age old problem with web content: the fact that you have to trust the server every time you use it. You make an HTML GET request and you're served the content, but if the server is compromised, you'll be served a compromised website. This is a huge problem for security-sensitive applications like messengers. An attacker that gains access to their server even just temporarily, could distribute compromised clients to millions of people, potentially breaking E2EE or any other number of malicious actions. So why isn't every app shipping as a PWA? The answer is an age old problem with web content: the fact that you have to trust the server every time you use it. You make an HTML GET request and you're served the content, but if the server is compromised, you'll be served a compromised website. This is a huge problem for security-sensitive applications like messengers. An attacker that gains access to their server even just temporarily, could distribute compromised clients to millions of people, potentially breaking E2EE or any other number of malicious actions.