Auth
Updated on GitHub a month ago (see history)

How to audit source code of proprietary Electron app

Requirements

Caveats

  • When copy/pasting commands that start with $, strip out $ as this character is not part of the command

macOS guide

Step 1: install Homebrew

$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"

$ uname -m | grep arm64 && echo 'export PATH=$PATH:/opt/homebrew/bin' >> ~/.zshrc && source ~/.zshrc

Step 2: disable Homebrew analytics

brew analytics off

Step 3: install dependencies

brew install node tree

Step 4: extract source code

Heads-up: replace QR\ Bridge.app with Electron app one wishes to audit.

$ npx asar extract /Applications/QR\ Bridge.app/Contents/Resources/app.asar ~/Desktop/source
npx: installed 17 in 6.041s

Step 5 (optional): list files

$ tree ~/Desktop/source -I node_modules
/Users/sunknudsen/Desktop/source
├── LICENSE
├── README.md
├── app
│   ├── confirmation.wav
│   ├── index.html
│   ├── preload.js
│   ├── renderer.js
│   └── style.css
├── icon.ai
├── main.js
├── package.json
└── qr-bridge.code-workspace

1 directory, 11 files

Step 6: audit app

Heads-up: code is a command line utility that opens file or folder in Visual Studio Code.

Heads-up: please respect license… being able to audit app does not mean app (including its source code) should be considered public domain.

code ~/Desktop/source

Step 7: check if app calls home

Use application-layer firewall such as Little Snitch or Lulu.

👍

Tails guide

Step 1: boot to Tails and set admin password (required to run commands using sudo)

Heads-up: if keyboard layout of computer isn’t “English (US)”, set “Keyboard Layout”.

Click “+” under “Additional Settings”, then “Administration Password”, set password, click “Add” and, finally, click “Start Tails”.

Step 2: import Node.js’s PGP public key

torsocks curl -fsSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | gpg --dearmor | sudo tee /usr/share/keyrings/nodesource.gpg > /dev/null

Step 3: enable Node.js’s repository

Heads-up: run cat /etc/debian_version to find Debian version.

Debian 10 (buster)

$ echo -e "deb [signed-by=/usr/share/keyrings/nodesource.gpg] tor+https://deb.nodesource.com/node_16.x buster main\ndeb-src [signed-by=/usr/share/keyrings/nodesource.gpg] tor+https://deb.nodesource.com/node_16.x buster main" | sudo tee /etc/apt/sources.list.d/nodesource.list > /dev/null

$ sudo apt update

Debian 11 (bullseye)

$ echo -e "deb [signed-by=/usr/share/keyrings/nodesource.gpg] tor+https://deb.nodesource.com/node_16.x bullseye main\ndeb-src [signed-by=/usr/share/keyrings/nodesource.gpg] tor+https://deb.nodesource.com/node_16.x bullseye main" | sudo tee /etc/apt/sources.list.d/nodesource.list > /dev/null

$ sudo apt update

Step 4: find Node.js version

$ sudo apt-cache madison nodejs
    nodejs | 16.13.1-deb-1nodesource1 | tor+https://deb.nodesource.com/node_16.x buster/main amd64 Packages
    nodejs | 12.22.7~dfsg-2 | tor+https://cdn-fastly.deb.debian.org/debian sid/main amd64 Packages
    nodejs | 12.22.5~dfsg-2~11u1 | tor+https://cdn-fastly.deb.debian.org/debian bullseye/main amd64 Packages
    nodejs | 10.24.0~dfsg-1~deb10u1 | tor+https://cdn-fastly.deb.debian.org/debian buster/main amd64 Packages
    nodejs | 10.24.0~dfsg-1~deb10u1 | tor+https://cdn-fastly.deb.debian.org/debian-security buster/updates/main amd64 Packages

Step 5: install dependencies

Heads-up: replace nodejs=16.13.1-deb-1nodesource1 with version found at step 4.

sudo apt install -y nodejs=16.13.1-deb-1nodesource1 tree

Step 6: extract “resources” directory from AppImage

Heads-up: replace qr-bridge.AppImage with Electron app one wishes to audit.

$ ./qr-bridge.AppImage --appimage-extract resources
squashfs-root/resources
squashfs-root/resources/app-update.yml
squashfs-root/resources/app.asar

Step 7: extract source code

Heads-up: ignore torsocks warnings (if present).

$ torsocks npx asar extract squashfs-root/resources/app.asar ~/Desktop/source
Need to install the following packages:
  asar
Ok to proceed? (y) y

Step 8 (optional): list files

$ tree ~/Desktop/source -I node_modules
/home/amnesia/Desktop/source
├── app
│   ├── confirmation.wav
│   ├── index.html
│   ├── preload.js
│   ├── renderer.js
│   └── style.css
├── icon.ai
├── LICENSE
├── main.js
├── package.json
├── qr-bridge.code-workspace
└── README.md

1 directory, 11 files

Step 9: audit app

Heads-up: please respect license… being able to audit app does not mean app (including its source code) should be considered public domain.

Audit source code using “Text Editor”.

👍

Contributors:Sun KnudsenSun Knudsen

Wish to contribute or need help? Read the docs.
This website is not tracking you. PGP public key fingerprint: E786 274B C92B 47C2 3C1C  F44B 8C9C A674 C47C A060