[kijiki]

Sure, but it doesn't pull HTML or Javascript from servers, it is all packaged along with the native Electron runtime. Exploiting a Javascript vulnerability is an absurd waste of time when you could just add a backdoor or whatever to the native code.

[jsnar]

It's not as simple as you thought. Consider a bug in the image decoding library Chromium used that can be exploited by simply sending a crafted image in the chat.

[halayli]

same logic can be applied to a native app that is using libpng and an attacker exploits the lib in one way or another.

[munin]

things you can do in the native app to mitigate this risk:

* run rendering in a sandbox

* closely monitor your deps for vulnerabilities and ship patches as quickly as possible

* choose deps with a better security track record, when possible

* independently scan, test, and validate the deps you bring in

things you can do in an electron app:

* pray

[Jahava]

In all fairness...

> run rendering in a sandbox

Most major browsers, including Edge and Chrome, do this and are really good at it.

> closely monitor your deps for vulnerabilities and ship patches as quickly as possible

Most major browsers do this too, and they have well-established update pipelines that can patch vulnerabilities in short order.

> choose deps with a better security track record, when possible

Most major browsers do this (e.g., "boringssl").

> independently scan, test, and validate the deps you bring in

Most major browsers do this as part of QA and vulnerability scanning.

> things you can do in an electron app: > * pray

* leverage all of the work that thousands at Microsoft, Google, Mozilla, etc., put into deploying what I suspect are the most heavily-attacked, heavily-scrutinized, and heavily-audited software platforms in existence.

Not that I'm specifically advocating web apps over native apps, but I don't think your list does a good job outlining their advantages.

[flukus]

That's likely to get fixed quickly and I can just apt-get upgrade. With electron we have to wait for google to fix it in chrome, wait for electron to update the chrome version or backport the patch, wait for the app developer to update their version of electron and then update it on your machine.