Is ngrok a safe tool to use? I was reading a tutorial which recommended to use ngrok test API responses that I make to outside services that need to connect to my endpoints also.
Is ngrok safe to use or can it be compromised?
There is no source code available for Version 2.0, considering it started as an open source project in 2014. I am suspect of any code that opens a tunnel to my localhost from the cloud. Pretty scary stuff especially without source code!
It opens up a tunnel to your dev machine, which is partially secured by obscurity (a hard to guess subdomain), and can be further secured by requiring a password. But you're still opening yourself up to ngrok itself...
Original (2021):
...you're still opening yourself up to ngrok itself, and the company is completely opaque (no address, no employees, no business name, no LinkedIn presence; all I can find is that it has 1-10 employees and is private; not even sure what country its based in). On top of that the code is not open-sourced. No reason to think they're not legit, but not a lot of information available to build trust.
You may be able to use ngrok and other local tunnel services with more security by encrypting the traffic. See https://security.stackexchange.com/questions/177280/end-to-end-encryption-for-localtunnel-ngrok-setup/177357#177357 for more information.
Update (2023):
The company does now have a website (with terms of service, privacy policy, pricing, and even some kind of "trust center"), an "Inc" after their name, a LinkedIn, and an address in San Francisco in Google Maps.
Seems that they are on Linkedin now: linkedin.com/company/ngrok/people –
Leatherback
This isn't entirely true. ngrok has been open source for quite some time: github.com/inconshreveable/ngrok –
Ramify
@Ramify -- ngrok was open source, until 1.7.1 (August 2015) based on github.com/inconshreveable/ngrok/tags ... See comment above: https://mcmap.net/q/259706/-is-ngrok-safe-to-use-or-can-it-be-compromised –
Aerothermodynamics
I work for ngrok. We've grown a lot since this answer was first published including raising a series A. We are a real company with real employees. Our platform and ngrok agent are still closed source, but we have started building open source agent libraries in Go, Rust, and JS that you can use in your applications. –
Deakin
@RussSavage what provoked you to close source it? seems extremely suspicious to me... –
Photostat
@Photostat good question. That decision was made long before I joined ngrok. Our founder did a Changelog podcast about it (starts around the 50m mark) a while ago that has some details about his motivations, which seem pretty genuine in my opinion. Of course, we also have a Data Processing Agreement available and the paid version of ngrok supports end to end encryption of traffic as well. –
Deakin
I found good rating, but vacuous information here:
http://www.scamadviser.com/is-ngrok.com-a-fake-site.html
The kicker for me is
https://developer.atlassian.com/blog/2015/05/secure-localhost-tunnels-with-ngrok/
where the Atlassian folks recommend it highly.
I think I am going to use it.
Its secure as long as you are using it for testing and not using it for something persistent. –
Microcircuit
so it is secure because atlassian doesn't care? c'mon :) –
Gipsy
it's the article from 2015 when ngrok was opensource. –
Kilohertz
Facts and opinions are not the same thing. You're citing opinions here. Security can't be based on opinions. The fact is that there is NOT an end-to-end encryption from the internet client to the server on your PC. Some advises to add an extra encryption tunnel on top of all that, but that's literaly missing the point of ngrok which was simplicity. You'd better use socat to establish tunnels, even through a corporate http proxy. –
Floriated
If anyone is concerning compromising their development environment, you can use Docker. There are many ngrok/docker projects but here is the one I chose: https://github.com/gtriggiano/ngrok-tunnel
for macOS, use "TARGET_HOST=docker.for.mac.localhost"
ngrok has an official docker image that they publish. it is available here: hub.docker.com/r/ngrok/ngrok –
Deakin
Running ngrok in Docker still gives you the security concerns of binary blobs, just in Docker. To me, the largest concern is handing your unencrypted traffic over to an anonymous third-party, which will happen inside or outside a Docker container. I suppose it could be more difficult for the binary to see stuff on the host from a Docker container, but users can already use tools to observe the binary reading local files, scanning ports on your LAN, etc. Binary blobs will only obscure activity like this and will not hide it completely. –
Vestry
They now offer a service where you locally run only ssh, no need to run any of their code on your machine.
You run something like ssh -R 80:localhost:8501 tunnel.us.ngrok.com http. This connects to one of their hosts and forwards connections they receive back to your machine and the service you run on localhost:8501.
This seems secure to me, the only thing is that you don't know what information they collect and who is connecting to your exposed service. They print all connections, but it's their binary that does this and someone might well listen in without you noticing. You can check connections on your end, but you cannot be sure who it is that connects.
"the only thing is that you don't know what information they collect and who is connecting to your exposed service": this is the spooky part. Users have to put 100% trust in ngrok. Even if they're Doing The Right Thing (tm), what if they are compromised? There are always risks to giving your traffic to a third party, and they should certainly be considered when weighing privacy risks. –
Vestry
I used ngrok extensively when it was open source. I was hesitant when it went closed source.
I was going to install it on a new windows machine I got but Defender is flagging it as a virus. Microsoft must have noticed exploited vulnerabilities through its usage.
I decided to cancel my yearly subscription today and got an error saying that I cannot cancel a subscription until the month before it is set to expire. That, coupled with windows recognizing the install package as a virus, is a HUGE red flag for me.
© 2022 - 2025 — McMap. All rights reserved.