First of all, to the approx. 2 people of whom 3 are federal agents and/or scrapers, I am slowly making a return and will try to post more content in the future.
With me attempting to learn UML, I was faced with quite an unforseen issue and that is the sheer amount of different software and websites that offer very different but at the same time similar implementations and methods to create UML. First, they must match the newest UML spec, then they have to implement it to the actual spec and not some Frankenstein fork and THEN their product has to also work properly. You'd think that these are the minimum requirements for a program that is made specifically to design UML charts. Apparently not! This post isn't about UML but it has led me to this piece of software which made me realize how insecure electron applications are.
This journey starts with StarUML as it is the only easy to use and beginner friendly UML application that runs locally and works. Every other app I tried had either very broken UIs or outright refused to start. I could have tried to fix the issues but due to me having other things to do I was not thrilled to say the least. So how is this related to application security? You see, when browsing the install directory you will notice a quite large file ending in asar. Running file reveals that it is some kind of archive, interesting.
Searching online tells us that we can simply use the asar application to unpack and view its content. It appears to be a normal Node project and looking into src/ confirms that assumption. We can now browse the entire applications code, with original comments, variable names and formatting unchanged from how it left the developers computer. No attempt was made at obscuring the functionality of the code, no packing or obfuscation. This then led me to search for the license check in an attempt to confirm if this was indeed the code that is run when you launch the program.
By modifying a few lines and returning a license that is always true we can test this. We go to our root dir with the extracted files and use asar to pack the modified code into one file again. When you now launch StarUML and check its registration information you will indeed be registered as a PRO user. Literally 0 effort and no DRM. This is simply hilarious how a company expects people to pay while having such a basic flaw. It reminds me of this meme:
OF COURSE I'd never encourage piracy and thus do not recommend anyone do this !!
No but seriously, this is not the first time I have encountered this kind of package and it is hilarious time and time again how easy it is to rip the entire codebase including everything with no difficulty. It makes me wonder why there is no competitor in that market that is that user-friendly and simple. Well either way, devs should not rely on their users inability to use a computer and a browser to protect their products. I keep circling around what I am trying to say, I enjoy them making it so easy for me to view the code but it also raises some serious questions. My conclusion is that they do not give a fuck because the people in charge are probably too incompetent and the devs are collecting their easy paycheck while developing basically OSS.
Miep