Cracking Electron: Why Electron is not secure for paid macos apps
Disclaimer: This article is for educational purposes only. Please do not use this for malicious intent. Don't use for illegal activities. Also cracking here means unlocking paywalled features that are already in the app.
What is Electron?
Electron is an open source framework for developing MacOS, Windows and Linux desktop apps using web technologies, namely HTML, CSS, JS. When you start the app it launches a chromium browsers and runs your app as if it were native. But it's not and thats why it is more than easy to crack an Electron app. Some of your most used apps might be build with Electron like VSCode, Slack, Discord, WhatsApp, Notion etc.
How does an Electron app work on MacOS?
To keep it short, by clicking the app icon, MacOS launches a small binary file that opens a chromium window and the V8-engine starts to compile your JS files into a working app. The app is compressed into a single file called app.asar
and all the dependencies are stored in the Frameworks
folder.
File Structure (MacOS)
ElectronApp.app
└── Contents
├── CodeResources
├── Frameworks
│ └── some dependencies
├── Info.plist <- where Electrons hash is stored
├── MacOS
│ └── ElectronApp <- this is the starting point of the app
├── PkgInfo
├── Resources
│ ├── app.asar <- all the app HTML CSS JS code compressed
│ └── icon.icns
└── _CodeSignature
└── CodeResources <- signature
Possible attack vectors
There are several ways to attack an Electron app. What I mean by cracking in this article is circumventing the app's security measures to access paywalled features or to bypass the app's licensing. The difference to cracking a webapp is that you have access to the frontend code and also the app's main process which could be considered as the application backend. But don't get me wrong, with these methods you can only crack what is already there but paywalled. Certain functionalities such as AI image generation is mostly handled on the server side and you can't access that with these methods.
Starting from least invasive to most invasive:
- DevTools: Open the dev tools and change App state. This is sometimes enough to bypass the app's security. Of course most apps disable the dev tools, but it's still possible to enable them.
- Reverse Engineering: Extract the
app.asar
file, deobfuscate the files and read the code. This is a bit more invasive but still not that hard and it can be done with a few commands (more on it later). This step can be used to understand how the app works and find vulnerabilities, or to bypass the app's security and licensing. - Injecting Code: Injecting code into the app's process or the main process via devtools.
- Changing the source code: Change the source code of the app, recompile it and run it. This is the most invasive way to crack an app and it requires some additional steps to calmn down MacOS security checks.
Enabling DevTools
This one is probably the easiest way to bypass the app's security. There are two types of devtools you can enable.
- Devtools in the app window, basically frontend devtools. This allows you to set breakpoints, inspect elements, change the state of the app etc.
- Devtools in the main process. This is the most dangerous one. You can access the main process, set breakpoints and investigate how critical parts of the app work. Most apps disable the dev tools, but here is a nasty workaround to enable them.
The trick is to open the app via the terminal and pass these flags:
$ /Applications/MyElectron.app/Contents/MacOS/MyElectron --remote-debugging-port=8315 --inspect=9229
This will open the app and make the frontend devtools available at http://localhost:8315
and the main process devtools at http://localhost:9229
. You can also replac --inspect
with --inspect-brk
to break at the first line of the main process. This is useful for reverse engineering the startup processes of the app.
To attach the Chrome DevTools to the app, open Chrome and go to chrome://inspect
. You should see your app there. If not add the urls to menu opened by Configure.... Click on inspect
and you will see the devtools.
One thing you can do in the frontend devtools is to investigate the app state under Application -> Local Storage
. You can change the values there and see how the app reacts.
Extracting the app.asar
file and deobfuscating the code
The app.asar
file is a compressed file that contains all the app's code. You can extract it with the following command:
$ npx --yes asar extract /Applications/MyElectron.app/Contents/Resources/app.asar ~/Desktop/MyElectron
For deobfuscating the code you can use a tool like de4js.
How Apple secures desktop apps
Apple has a few security measures in place to prevent unauthorized access to the app's code. The most important one is the code signature. Every app on MacOS is signed with a certificate. This certificate is used to verify the app's integrity and to ensure that the app has not been tampered with. If the app's code has been modified, the signature will be invalid and MacOS will refuse to run the app.
Also Apple is notarizing apps. This means that the app is checked by Apple and if it passes the checks, it gets a notarization certificate. This certificate is used to verify that the app is safe to run on MacOS. If the app is not notarized, MacOS will show a warning when you try to run it.
How Electron apps are secured
In addition to Apple's security measures, Electron apps have a few security measures in place to prevent unauthorized access to the app's code. Electron obfuscates the code, compresses it into the infamous app.asar
file and creates an hash of the file. This hash is stored in Info.plist
file. When the app is started, Electron checks the hash of the app.asar
file and compares it to the hash stored in Info.plist
. If the hashes do not match, Electron will refuse to run the app.
What it takes to crack an Electron app
To crack an Electron app, you need to bypass the security measures put in place by Apple and Electron. The basic steps are:
- Extract the
app.asar
file - Deobfuscate the code (only for understanding the code, deobfuscating sometimes breaks the code)
- Change the code to bypass the security checks (e.g. enabling dev mode)
- Repack the code into a new
app.asar
withnpx --yes asar pack <from> <to>
- Change the hash in
Info.plist
to match the new hash calculated from the newapp.asar
file - Self Sign the app with a new certificate `
In the next article I will show you how to do all these steps with a script. Stay tuned!