Security, by default

— Written by socket

Since making waves last week with our new release, we've received a lot of attention, praise, excitement, and a few important questions; e.g., how our security model differs from (indirect) competitors like Tauri or Electron.

For further reference, we have some good detail about this topic in our guide

Quick Overview

  • Tauri and Electron both run a "main thread" process separate from the UI, where your app's "business logic" should reside; the separation ostensibly leads to better performance of the separate UI thread not being bogged down.

  • On mobile devices, such a "main thread" will be naturally sandboxed by the OS, offering a high degree of security assurance. But on desktop devices, no such sandboxing occurs, meaning that this "main thread" can literally do whatever it wants to your device (subject to account permissions).

  • Tauri's security information points out that native API access is gated by explicit allow lists, meaning an app that doesn't opt-into a specific capability, will not ship with that Tauri code included. They also mention using CSP to protect communication from the UI thread to the main thread.

    However, Tauri allows shipping an arbitrary binary (in Rust) for this main thread, of the author's own choosing, so there's really nothing protecting users on desktop systems from installing applications that surreptitiously do unwanted things in the background. That means Tauri's use of CSP doesn't do anything to restrict the "main" thread's behavior, only the UI code's behavior.

  • Socket uses a different model, one we believe is inherently more secure. We don't ship a separate "main" thread, but rather a thin (1.5mb) runtime wrapped around the webview. We call it a "runtime" because by default, ALL developer code is run dynamically, inside the compiled program which sets boundaries between the code it runs and the operating system that it runs on.

    We strongly encourage the entire app (UI and "backend" business logic) to ship inside the wrapped webview, with heavy work offloaded to other threads via workers (and optimized via WASM). Our CSP protections (between webview and runtime) thus provide a standard and battle-tested security barrier that restricts an app's JS code (business logic or otherwise) from running amok on any device, mobile or desktop.

Summary

To be clear, an app built with Tauri, Electron, or Socket can be written to respect a user's device and not do bad things the user doesn't want. And further, Tauri/etc do provide some mitigations to help assure users of app behaviors. And when apps are deployed to mobile devices, the operating systems do ensure a lot of protections.

Nevertheless, we believe Socket's model, architecture, and positioning, is by design more standardized around known security models, and thus offers greater assurances to users, especially on desktop OS's, than other options.

But don't just take our word for it! Check out Socket's code and tools for yourself.