You are here

Security Issues with PortableApps

5 posts / 0 new
Last post
portabc
Offline
Last seen: 1 year 4 months ago
Joined: 2022-11-20 12:49
Security Issues with PortableApps

Dear PortableApps Developers,

It came to my attention, that PortablApps has some pretty huge security issues, that could be easily avoided, if the person responsible for updating portable apps had just a smudge of understanding what an update on other than MS Windows system is and how it differs.

There is of course the second matter of abandoned apps and a complete mess with the choice of apps presented to the end user, with complete disregard over their privacy and security.

I will explain those multiple issues here, as best as I can, for a newbie who manages portable apps.

1. The newbie, who manages portable apps, doesn't know what a shared library is and how important it is for security of a system or individual apps. In MS Windows all apps have separate libraries. Each app has to be then updated. Lets say (for the sake of explanation), there is a bug in OpenSSL. The whole system is then compromised. On Unix-type of system, the sys-admin updates one library (here: OpenSSL) and the whole system is secure. The update is straightforward and very fast, due to the fact that only one small package that has to be updated. Moreover: not the whole package has to be updated - just the delta difference, so its even faster.

Contrary to the shared libraries concept- each MS Windows app has its own copy of a libraries. This means that each individual app has to be fully updated and repackaged for a few KiB of code. That leads to GiB of dowload and installations. It can also happen that some apps have outdated insecure libraries and each app maintainer has to be aware of all bugs in all libraries and repackage the whole app.

In PortableApps, one of the web browser, Falkon comes from 2019. But your, as a MS Windows user, misconception is, that Falkon hasn't been updated since 2019 and is totally insecure and has multiple bugs and issues. Soon 3 years will pass since the last version publication. This is not true. You are not aware that Falkon uses the concept of shared libraries and since then had been updated, hundreds of times. But how come? Well, Falkon is just a GUI for the rendering library called "Qt Webengine". Every other system that uses shared libraries has updated Falkon multitude of times. The only thing they had to do is update "Qt Webengine" and Falkon (GUI) is then up-to date. Three years of updates you are missing.

2. Let's look then at Intenet category and specifically web browsers and the choice that is given to the user.

There is of course, Google Chromium. I am not going to argue about security and privacy of this app, but privacy oriented user (I hope everyone should be) wouldn't want one corporation monopoly, wouldn't want flock, manifest V3, or constant calling home, telemetry etc.

Other choices should be given. And here the problem begins. One big, viable alternative for Google Chrome (and not a Chromium spin-off) is Mozilla Firefox. There are two versions of Firefox: Firefox ESR (Extended Support Rate) and Firefox "rolling release". The first one is a tested, stable browser for production-ready machines, the other with monthly releases (rolling release) is more of a test bed for future ESR, with constant changes, code added, new features etc. This is not a stable version, but the user of PortableApps is never given the choice of having a stable version. Quite contrary- the user is given yet antother unstable/beta/nightly/alpha version of Firefox, but not Firefox ESR.

Onother thing is that Firefox has a lot of telemetry build-in and the user has to spend endless hours of undoing it if they want just a smudge of privacy and faster browser. This procedure also icludes of hacking omni.js. This is not viable for the end-user. Fortunately there is a solution and a team of developers created a fork of Firefox. Its called LibreWolf and is regularly published- on the same day as Mozilla Firefox or the next day. The changes and code are published on github. Riddance of telemetry also means faster app. PortableApps has never given us a choice and does not include LibreWolf.

Onother very vaiable option is Basilisk. It retains older (but not too old) GUI of Firefx and has "non-fingerpinted-non-web-type" addons (e.g.: forks of uBlock and fork of Matrix). It uses Goanna web-engine (which has much fewer security bugs; most of CVEs of Firefox, don't even apply to Goanna engine, nor Basilisk itself). The code is leaner and more robust, hence Basilisk is faster than Firefox. Its actively developed and has a new corporate-independant developer. PortableApps has never given us a choice and does not include Basilisk.

Qupzilla- it's deprecated since 2018 and replaced by actively developed Falkon. So a browser, that is pushing being 4 years old now and isn't developed, is still hanging on PortbleApps. Not good.

There is also an issue of overabundance of closed source, proprietary software in PortableApps. As it is with every secret code- the risk is out there. There are more better choices that could be given to the user:

a) file manager: Double Commander (Qt version works better on Windows; available on Sourceforge);
b) photo viewer: PhotoQt, Quick Picture Viewer (very fast, very small- 3.4M, available on Github).
Just to name a few.

Other issues:

Lack of other protocols browsers, besides http. Good gopher client should be placed just next to Links. One of the best easy to use and tested is Gopherus. Why to promote just "the web for normies". There are better, smaller, faster, more secure and without java script, protocols for reading (news, blogs, weather, wikipedia and even "the normies websites" scraped- like reddit, twitter, etc.).

Another examle of outdated, abandoned and non-working software:
Golden Dic- last update: 2015. I bet none of the websites, that it tries too look up, exist in the form from 2015. So its 100% broken.

SimonGeek
Offline
Last seen: 5 months 3 weeks ago
Joined: 2022-07-24 01:22
Totally agree

I totally agree, remove outdated software and add LibreWolf.

John T. Haller
John T. Haller's picture
Offline
Last seen: 7 hours 1 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Some Answers

Hi, I'm the newbie that does most stuff here. Here are some responses...

As for shared libraries, in the Windows world, shared libraries are nearly always bundled with the app itself these days. That's just the way it works. Even Visual C runtimes. For example, if you check your local C:\Program Files\Mozilla Firefox directory, you'll see vcruntime140.dll within it. OpenSSL isn't a shared library used by multiple apps on Windows. It's bundled within each app. And it's the responsibility of the app publisher to update. Falkon, for example, is abandoned on Windows as the publisher is no longer updating it. As a general rule, we don't rebuild apps or the components within. If you'd like a specific app changed, contact the publisher. If you'd like to be responsible for rebuilding Falkon for each new Qt Webengine release on an ongoing basis, please fork it and let us know.

As for security within Firefox and Chrome, please feel free to contact the publishers and discuss their privacy, tracking, and other policies. That doesn't involve us at all. And we can't alter the default settings when distributing as it would violate our licensing agreement.

As for Firefox ESR, it's available on our site and in our platform and has been for years. It is primarily intended for organizations (universities and corporations) so is hidden by default in the PA.c App Store until you enable Advanced Apps. Stable branch is recommended for end users as per Mozilla. If you disagree and want it renamed to Unstable, please discuss it with them.

As for abandoned browsers, there are multiple. QupZilla was already labeled as Discontinued when you posted this. The others are now as well.

As for Gopher, all the major browsers abandoned it a while ago because it's barely used anymore. If you have a specific app like Gopherus you'd like added to the app directory, you can request it in the Request Apps forum. A developer may be interested and offer to do it. Note you'll have the best luck if you offer to package and maintain it yourself as otherwise you're asking someone else to work for free.

On a related note, you may be interested in the Gemini protocol, for which I packaged Lagrange Portable.

As for closed source software, you're free not to use it. The platform even has a setting to hide it in the app directory. For other apps you'd like to see, again, please request them in the Request Apps forum.

Sometimes, the impossible can become possible, if you're awesome!

SimonGeek
Offline
Last seen: 5 months 3 weeks ago
Joined: 2022-07-24 01:22
The question was specific

It's not so much about discussing the presence of abandoned software (which, however, could be hidden to site visitors until forks are created in the future), many users would prefer to have a browser without any telemetry. The question that the user has posted (which isn't even mentioned in your answer) was specific, it required a Portable version of LibreWolf. I specify that there are other 64-bit only software on this site, so I don't think it's a problem to include LibreWolf in the list as well. LibreWolf actually already has its own Launcher but it is written in AutoHotkey and is very slow in carrying out cleaning procedures, it also doesn't have a proper structure to prevent overwriting user settings. Finally, LibreWolf has already been requested as a portable app.

John T. Haller
John T. Haller's picture
Offline
Last seen: 7 hours 1 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Feel Free

As I mentioned, you're free to work on a package of LibreWolf based on my Firefox Portable work. We didn't support 64bit only a year and a half ago but we do now. Please confine app requests to the app request forum and any additional requests for LibreWolf to that topic.

Sometimes, the impossible can become possible, if you're awesome!

Log in or register to post comments