Desktop app as insecure, as a web page. Serve code from local files, especially crypto.

[3n-mb]

Context

A whole of app code, together with crypto parts, is loaded via electron/main.js

ipcMain.once('load-webapp', function(event, online) {
  enteredWebapp = true;
  if (baseURL.includes('?')) {
    baseURL += '&hl=' + locale.getCurrent();
  } else {
    baseURL += '?hl=' + locale.getCurrent();
  }
  main.loadURL(baseURL);
});

where baseURL points to wire's server, from where everything is loaded. All UI parts, all of crypto, everything.

This way all of security aspects are totally equivalent to those of a web page.
For example, when wire's server is compromised, and it starts to serve js files that also steal keys/passes, all desktop applications are compromised immediately, because they rely for key functionality on code, served from a web server.

This is a security problem.

Possible solution

Keep all web assets in a local directory.
Do not load it every time from a browser.

It can be as simple as modifying build/pack process.
For example, require wire-webapp folder to be nearby, trigger build in it, then copy assets into electron folder here, and trigger existing build process here.

In time, you may leverage this by injecting native-code backed crypto functions, speeding things up, turning a security benefit into a usability one.

[raphaelrobert]

Our web app has a high frequency for updates. We would have to change our strategy considerably if we were to package static files in the AppStore/Windows version everytime.
Even if we were to do that, it would not completely solve the problem: users still have to trust the files from the AppStore/Windows package.
The best remedy is still to use the open source apps if you don't want to trust packages.

[3n-mb]

@raphaelrobert there is an updater for electron.

My steps as a user:
0) go to wire site

1. click to Get the (windows) App
2. it is 40-something MB download, thus, I assume it to be a complete electron app
   No windows app store noticed. Therefore, electron may have an updater in it, making updates as needed, provided user agrees to do an update.

Update server does not need to know user's identity.

When auto-ops push webapp, they push static assets to an update server, as a parallel branch. Parallel deployment into your own server shouldn't require, quoting you, "to change our strategy considerably", end of quote.

Here is another positive UX side for this security-minded solution. Faster startup! Potential for an offline work!

Rant:

The best remedy is still to use the open source apps if you don't want to trust packages.

This translates to a common theme: if we cannot give 100% security, we give none.

I, personally, thought that desktop users are those professionals (example from issue #12 ), to whom your company plans to sell premium services. Correct me, if I am wrong. Wire's site promises privacy and security as the first point. Instead, desktop version has lesser security than mobile apps.

[raphaelrobert]

Let's be very clear: we care deeply about security and privacy and we are happy about suggestions and questions from the community.

The point you raised is an important one. We would certainly like to improve security where we can, but we also have to ask the questions: How good is the improvement? And if it is good enough, how will it affect the user experience (because ruining the user experience is ultimately also detrimental to security).

We use an updater for Electron (on Windows), and yes, we could package the files, but they would still come from a server. In addition we would also waste some bandwidth, because unfortunately Electron is not exactly small.
It might be a way forward to just package the web app and essentially cache it until the next update instead of downloading it every time the desktop app is started. But in reality the Wire desktop app is not started very often but rather kept in the background, and the web app updates are often just days apart.

[ConorIA]

Raphael, building on your last point (and from a lay perspective) would it be possible to have a small script that scrapes the version number from the web and only updates the cache if there have been changes?

[tmikaeld]

I would prefer this, a button that when clicked upon shows the version, changelog and link directly to the commited changes. It should show every time something changes and you haven't clicked it (Always in view). This would make it informative for those who want to see it and want to investigate the changes - while still keeping it out of view for those that don't care.

[tmikaeld]

I'd rather review the code of a few scripts rather than a +40MB binary on every update.

[raphaelrobert]

@ConorIA sounds like the way to do it once there is a cache.

@tmikaeld Thanks for the suggestion, we'll keep it in mind.