Back in August, 1Password users saw a familiar prompt inside their desktop apps: a new update was available. The launch of 1Password 8.0, however, was not a routine update – under the hood, something significant changed – the underlying architecture of the app was switched to Electron.
ElectronJS, more commonly known as Electron, is a rather clever idea on paper. It allows software developers to write an app only once, so instead of writing separate apps for Windows, Mac and Linux, the same code powers the app on multiple platforms.
It’s both popular and open source, and the framework is used today for a range of popular desktop apps, from Slack to WhatsApp. Even Microsoft has embraced it to build the hugely popular Visual Studio Code editor.
It’s also safe to say that not everyone loves it – as demonstrated by the reaction on Twitter. “I’m suddenly in need of a new password manager,” wrote Mac developer Bryan Jones after downloading the 1Password update. Coder Tom Morris said: “It has been a bad week if you like software that is high performance, low memory usage, and not hideously ugly.” Penetration tester Vetle Hjelle put it even more bluntly, branding it “a punch to the gut”. Clearly, some developers love Electron, while many others hate it – but why is Electron so divisive?
Electron-made apps are simple to build
“To me, Electron is the choice between no app and an app existing,” says Tony Onodi, a web developer by background. Thanks to Electron, he can transfer his skills to writing desktop apps. Instead of needing to use a complex, low-level language such as C, Electron is based on the much simpler JavaScript.
This means apps can be written using the same simple instructions that web apps are made in. This is the hidden genius of Electron apps: beneath the surface, they are essentially a web browser without an address bar, and with a few special controls for things such as right-click menus, to help them better mimic native apps.
It’s this relative simplicity that means Onodi is currently working on a standalone version of NumPad, a lightweight web app he made that combines a Notepad-like text editor with an in-line calculator. “If I tried to implement it in the Apple way, or the Windows way, I would just probably give up quite quickly, because it would involve learning a whole load of tools that I'm not familiar with,” says Onodi.
Electron code can be too bloated
Not everyone is such a fan. Within every Electron app is a standalone version of Chromium, the engine that runs Google’s Chrome browser. This takes care of the hard work of translating JavaScript code into the app you see on the screen.
“Talk about bloatware,” says software developer Sam Strachan, who points to how two Electron apps he uses regularly – Postman and GitHub Desktop. Both have temporary files that clock in at around a gigabyte each. “In some ways, it just doesn't matter these days, because who notices a gigabyte here and there? But when you stop and think that, actually, you could write the same app [natively], it would be like a couple of megabytes.”
There is then a trade-off, as each Electron requires its own Chromium back-end, so if you’re running, say, Slack, GitHub Desktop and Visual Studio Code at the same time, it’s effectively running three copies of Chrome at once.
“I usually work with powerful machines so they are not as noticeable, but I can imagine most people with average computers really suffer if they open multiple Electron apps,” says Federico Terzi, a software engineer who’s had his own experience building cross-platform apps such as Espanso, a text expander.
Choosing Electron impacts users differently. “I think Electron is mostly loved by developers rather than users,” Terzi continues. “Users would always love to have native applications if possible.”
Might Electron pose a cyber security risk?
There’s another layer to Terzi’s concerns. He worries Electron apps, by nature, aren’t as secure as native apps, which could have significant implications for apps such as password managers. “The biggest problem with Electron applications is that you build them using JavaScript,” he says.
As JavaScript is often open source and used all over the web, the applications are often built using many different packages – building blocks of code that have been written by other people.
If you want your app to show a graph, for example, instead of going to the trouble of writing your own graph-drawing code, it’s much easier to use an off-the-shelf graph drawing package inside your app – and that package becomes a dependency the app requires to run. It makes development much quicker, but it does have one drawback. “An average application can download thousands of those dependencies, because each dependency has other dependencies, which each have other dependencies, and so on,” says Terzi. This creates what Terzi describes as “dependency hell”.
“The biggest problem is that these open up an attack called the ‘vendor-chain attack’, which means that if just one of these packages is compromised, then the whole application potentially is compromised."
What 2023 will mean for the industry
What do most IT decision makers really think will be the important trends and challenges in the coming year?
Though that sort of attack is conceivably a problem on other platforms too, the risk is arguably more acute due to the way Electron is designed. “Web browsers like Chrome, Firefox, and Safari all have sandboxes that make it impossible or very, very hard for any [rogue package] to get access to your computer. [But] Electron applications have superpowers, because that's what is necessary to create desktop applications.”
Under the hood, Electron apps essentially run two different processes on your computer: the Chromium engine it uses to render HTML and JavaScript, and also NodeJS, a back-end environment that lets JavaScript control things that are usually off-limits. For example, if an Electron app needs to interact with the computer’s file system, or your hardware, it sends commands through Node. It means if any rogue code was able to run inside an Electron app, it could meddle with your computer at a low level.
It's a potential vulnerability that 1Password appears to be well aware of, too. As part of the switch to Electron, the company released a set of tools it calls “Electron Hardener”, which it says will improve security loopholes like this.
Money is the main reason Electron is surging
Security and bloat aside, Electron is clearly popular. So, what’s motivating the trend for Electron? Why are major apps such as 1Password switching to the framework when there's so many conceivable drawbacks?
“For a company, it's a no-brainer to choose an Electron app,” says Terzi. “They can reuse the web developers they have in-house to build a desktop application. And if you go with native applications, the skills that are needed are completely different, and it’s usually harder to find developers.”
It also makes it simpler on a technical level, too. “They can just create one code base and then it works pretty much on every platform and you have a lot of control over it,” Terzi continues.
“If you read in technical forums, everyone hates Electron, but the actual truth is that average users don't care too much. Of course, they would like things to be snappy. But for a company, we're talking about potentially millions of dollars saved using Electron so that's probably why most of them choose it.”
