Cracking Electron: Why Electron is not secure for paid macos apps

Disclaimer: This article is for educational purposes only. Please do not use this for malicious intent. Don't use for illegal activities.

What is Electron?

Electron is an open source framework for developing MacOS, Windows and Linux desktop apps using web technologies, namely HTML, CSS, JS. When you start the app it launches a chromium browsers and runs your app as if it were native. But it's not and thats why it is more than easy to crack an Electron app. Some of your most used apps might be build with Electron like VSCode, Slack, Discord, WhatsApp, Notion etc.

How does an Electron app work on MacOS?

To keep it short, by clicking the app icon, MacOS launches a small binary file that opens a chromium window and the V8-engine starts to compile your JS files into a working app. The app is compressed into a single file called app.asar and all the dependencies are stored in the Frameworks folder.

File Structure (MacOS)

ElectronApp.app
└── Contents
    ├── CodeResources
    ├── Frameworks
    │   └── some dependencies
    ├── Info.plist  <- where Electrons hash is stored
    ├── MacOS
    │   └── ElectronApp   <- this is the starting point of the app
    ├── PkgInfo
    ├── Resources
    │   ├── app.asar   <- all the app HTML CSS JS code compressed
    │   └── icon.icns
    └── _CodeSignature
        └── CodeResources  <- signature

Possible attack vectors

There are several ways to attack an Electron app. Starting from least invasive to most invasive:

DevTools: Open the dev tools and change App state. This is sometimes enough to bypass the app's security. Of course most apps disable the dev tools, but it's still possible to enable them.
Reverse Engineering: Extract the app.asar file, deobfuscate the files and read the code. This is a bit more invasive but still not that hard and it can be done with a few commands (more on it later). This step can be used to understand how the app works and find vulnerabilities, or to bypass the app's security and licensing.
Injecting Code: Injecting code into the app's process or the main process via devtools.
Changing the source code: Change the source code of the app, recompile it and run it. This is the most invasive way to crack an app and it requires some additional steps to calmn down MacOS security checks.

Enabling DevTools

This one is probably the easiest way to bypass the app's security. There are two types of devtools you can enable.

Devtools in the app window, basically frontend devtools. This allows you to set breakpoints, inspect elements, change the state of the app etc.
Devtools in the main process. This is the most dangerous one. You can access the main process, set breakpoints and investigate how critical parts of the app work. Most apps disable the dev tools, but here is a nasty workaround to enable them.

The trick is to open the app via the terminal and pass these flags:

$ /Applications/MyElectron.app/Contents/MacOS/MyElectron --remote-debugging-port=8315 --inspect=9229 This will open the app and make the frontend devtools available at http://localhost:8315 and the main process devtools at http://localhost:9229. You can also replac --inspect with --inspect-brk to break at the first line of the main process. This is useful for reverse engineering the startup processes of the app.

To attach the Chrome DevTools to the app, open Chrome and go to chrome://inspect. You should see your app there. If not add the urls to menu opened by Configure.... Click on inspect and you will see the devtools.

One thing you can do in the frontend devtools is to investigate the app state under Application -> Local Storage. You can change the values there and see how the app reacts.

Extracting the `app.asar` file and deobfuscating the code

The app.asar file is a compressed file that contains all the app's code. You can extract it with the following command:

$ npx --yes asar extract /Applications/MyElectron.app/Contents/Resources/app.asar ~/Desktop/MyElectron

For deobfuscating the code you can use a tool like de4js.

How Apple secures desktop apps

Apple has a few security measures in place to prevent unauthorized access to the app's code. The most important one is the code signature. Every app on MacOS is signed with a certificate. This certificate is used to verify the app's integrity and to ensure that the app has not been tampered with. If the app's code has been modified, the signature will be invalid and MacOS will refuse to run the app.

Also Apple is notarizing apps. This means that the app is checked by Apple and if it passes the checks, it gets a notarization certificate. This certificate is used to verify that the app is safe to run on MacOS. If the app is not notarized, MacOS will show a warning when you try to run it.

How Electron apps are secured

In addition to Apple's security measures, Electron apps have a few security measures in place to prevent unauthorized access to the app's code. Electron obfuscates the code, compresses it into the infamous app.asar file and creates an hash of the file. This hash is stored in Info.plist file. When the app is started, Electron checks the hash of the app.asar file and compares it to the hash stored in Info.plist. If the hashes do not match, Electron will refuse to run the app.

What it takes to crack an Electron app

To crack an Electron app, you need to bypass the security measures put in place by Apple and Electron. The basic steps are:

Extract the app.asar file
Deobfuscate the code (only for understanding the code, deobfuscating sometimes breaks the code)
Change the code to bypass the security checks (e.g. enabling dev mode)
Repack the code into a new app.asar with npx --yes asar pack <from> <to>
Change the hash in Info.plist to match the new hash calculated from the new app.asar file
Self Sign the app with a new certificate `

In the next article I will show you how to do all these steps with a script. Stay tuned!