Login/Register
Electron with C++ backend - secure?
Asked Answered
electroncracking
E

1

8

I have written a UI in Electron and I would like to connect it with my C++ code. However, I will be selling this product and so I would like to know if this makes it easier for people to crack my C++ code? Obviously I know compiled C++ can be cracked anyway, but does this affect it in any way?

Additionally, what is the best way to go about this while preserving maximum possible security?

Thanks.

EDIT: How about this? Is it possible to use c++ as back-end for Electron.js?

EDIT2: To clarify, my Electron app will be showing the status of operations being performed in the C++ program. As such, I will need to send lists, dictionaries, strings etc. from C++ to JS which will then render it. Additionally, buttons on my Electron app need to trigger actions in the C++ code, such as stopping or starting certain parts of the program.

Emilia answered 16/1, 2020 at 17:43 Comment(21)
What do you mean connect it ? Like message passing ?Mithridatism
It is fairly easy to peek into the JS code of electron apps, this means the API for your C++ library will be discoverable. You would also be giving the library to your users anyways, so they could use other tools to determine the library's API.Pollypollyanna
@Mithridatism I need to pass data like lists, dictionaries and strings from my C++ code to my Electron GUI in realtime. And my electron GUI needs to be able to send data to C++ in the same way.Emilia
@Pollypollyanna Is there any way to get around this?Emilia
Write the entire application in C++ and do not export any functions like you would with a DLL.Pollypollyanna
@Pollypollyanna I added an edit to clarify what I'm doing if that helps.Emilia
@Pollypollyanna It seems like a pain to develop a UI in C++. I have already spent ages writing one in HTML/CSS/JS. Is there any C++ library I can use to run that to avoid the issues with Electron?Emilia
@Mithridatism I added an added to clarify what I'm doing.Emilia
@Pollypollyanna What about something like ultralig.ht/#about or cppcms.com/wikipp/en/page/main?Emilia
@JackP, There is no "issue" with electron. The nature of a DLL, or other compiled C++ library, is that it exports and exposes an API. If you don't want savvy users knowing about this API then don't give them a library at all.Pollypollyanna
@Pollypollyanna I don't understand what will be compromised by exposing this API - can you explain in the context of my second edit?Emilia
@Pollypollyanna How would I even write a C++ GUI without a library?...Emilia
@JackP, Maybe you need to define what "secure" means to you in this question. I am saying that using electron is not relevant to the "security" of your C++ code beyond the fact that C++ node modules have to be a DLL with an API that can be discovered. What do you want to prevent the users from doing/knowing? What are you worried about? What do you mean by "crack" ?Pollypollyanna
@Pollypollyanna My software is licensed and thus I'm worried about people decompiling it and removing the license check or revealing how I have achieved what I have achieved. Again, I know this is not impossible with a regular C++ executable but I don't want to make it easier.Emilia
@Pollypollyanna As I've said, I don't understand the implications of my C++ being a binary with an exposed API. Can you explain this? Can I limit this API to prevent access to stuff that is not necessary for the functions of the GUI itself?Emilia
@JackP, Using electron does not make any difference. If you provide compiled C++ code to a user in any way, they have the ability to run a decompiler on that binary.Pollypollyanna
@Pollypollyanna I know... What about the API? That is not there with normal C++ code.Emilia
The API is just list of functions that can be called from outside the library. If someone used a tool like this they could write a program to begin experimenting with those functions and see what they do. Making your app as a single EXE with no exported functions prevents tools like that from displaying any useful information. Reverse engineering would still be possible either way. Again, electron makes no difference other than requiring you to compile a DLL.Pollypollyanna
@Pollypollyanna So I can limit the API to only allow certain functions to be called? If that is the only security downside of Electron then I don't see a problem because I can only expose stuff that has no relation to the licensing system. Even so, how would I go about making my application a single EXE with a HTML/CSS/JS front end?Emilia
That is a question too broad to answer in comments. You wouldn't use HTML/CSS/JS without a web rendering engine, so maybe fork a web browser project or maybe use CEF...Pollypollyanna
@Pollypollyanna Then post an answer? How about my first question?Emilia
P
9

I have written a UI in Electron and I would like to connect it with my C++ code ... I would like to know if this makes it easier for people to crack my C++ code?

Using electron does not make any meaningful difference for protecting the C++ source code. (Your intellectual property)

The Javascript code running in electron will be very easy to reverse engineer though, which gives users a head start on experimenting with your C++ binary. Using minification and obfuscation tools can at least make that harder.

For the C++ side, connecting C++ to Electron can be done in at least these two ways:

  • By dynamically linking to a shared library (Node.js C++ Addons)
    In this case your C++ API would be functions that get exported by the shared library. There are many tools to inspect shared libraries (DLLs) and view these functions.
  • By communicating with another process using some sort of Inter-process communication.
    In this case your API would depend on the IPC method used. If it was TCP/UDP messages you could use Wireshark to inspect the packets between the processes. There are ways to inspect messages going over any type of IPC.

Either way, your application must be delivered to the end-user with a compiled binary. Preventing reverse engineering of the binary itself is impossible if you actually give the binary to your users.

You should also expect that a savvy end-user will have access to other tools that can inspect the API and implement third-party code that talks to that API.

Additionally, what is the best way to go about this while preserving maximum possible security?

By "maximum possible security", I will assume you are referring to preventing unauthorized use of the C++ code with other applications.

You would need a licensing system that can authenticate the application that is using your C++ binary's API. Explaining what that would be exactly is probably too large of an answer for a Stack Overflow, and you will have to do some research on how licensing systems are implemented.

It may be theoretically impossible to develop a perfect licensing system though. Look at the gaming industry, it takes just a matter of days to for the licensing software become circumvented for every new game that is released. The only software architecture that cracks haven't completely conquered are cloud-based applications, which don't actually deliver compiled code with their business logic to the end-user's computer.

Pollypollyanna answered 16/1, 2020 at 18:32 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.