Calling home (or not) may not be the only security issue with Electron. And not the most serious risk associated with its use. That is: attacks by malicious outsiders.
Kaspersky has an interesting article on security issues with Electron, and in particular with its use of embedded Chromium (https://www.kaspersky.com/blog/electron-framework-security-issues/49035/). Their argument goes as follows.
-
Security holes are found in Chromium very frequently: “New, serious vulnerabilities pop up almost weekly in a popular browser like Chrome/Chromium: so far this year more than 70 high, and three critical severity-level vulnerabilities have been found in Chromium as of the time of writing [september 14, 2023]. Worse yet, exploits for the world’s most popular browser’s vulnerabilities appear really quick. This means that a good part of Chrome/Chromium holes are not just abstract bugs you treat as a matter of routine — they’re vulnerabilities that can be used for attacks by cybercriminals out in the wild.”
-
For stand-alone Chrome browsers this may not be a big problem, because Google “is very quick to release patches and rather persistent in convincing users to install them and restart their browser”.
-
But the same does not necessarily apply to third party applications that incorporate Chromium. First of all, the app developer would need to put out new versions with security fixes as soon as they are available, on average once a week, and users would also need to install those versions immediately to remain protected.
Kaspersky gives one example: "And here’s a fresh example: On September 11, Google fixed the CVE-2023-4863 vulnerability in Google Chrome. At that point, it was already actively exploited in the wild. It allows a remote attacker to perform an out of bounds memory write via a crafted HTML page, which can lead to the execution of arbitrary code. Of course, this bug is present in Chromium and all Electron-based applications. So, all companies using it in their applications will have to work on updates."
It seems to me that switching to Electron creates quite a risk for Manager Desktop and its users.
I know a bit about cyber security, although I cannot call myself an expert. I do not want to cause alarm. But the above has me worried. I hope others can shed some light on it. If it appears I am mistaken I will gladly retract this post.