--- title: "Protect Electron Apps from Heap Snapshot Backdoors | Security Cookbook" description: "Restrict writes to Electron heap snapshot files to the app" doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/protect-electron-apps" --- [Back](https://northpole.security/cookbook) ### Idea Electron apps have compile-time feature flags called "fuses" which verify the integrity of bundled resources. Until recently, those integrity checks would skip V8 heap snapshot files and allow an attacker to run arbitrary JavaScript when the application was opened. The team at Trail of Bits discovered this, and high-profile Electron apps like Slack and 1Password have been updated, but older Electron apps or apps without the integrity fuses enabled can still be backdoored. But why should any process outside the application be able to write its heap snapshot file? With Santa's file access authorization (FAA) rules, you can make sure that, say, only 1Password can write to the heap snapshot in its application bundle. ### Solutions File Access1Password Heap Snapshot Protection Restrict write access to 1Password heap snapshot files Path Literals - • /Applications/1Password.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/v8\*.bin Options Allow Read Access:true Audit Only:false Rule Type:PathsWithAllowedProcesses Processes - • Signing ID:2BUA8C4S2C:com.1password.1password Custom Message Unauthorized modification of 1Password resources is not allowed ### Mitre Attack Tactics [Persistence](https://attack.mitre.org/tactics/TA0003/)[Stealth](https://attack.mitre.org/tactics/TA0005/) Techniques [T1554: Compromise Host Software Binary](https://attack.mitre.org/techniques/T1554/)[T1218.015: Electron Applications](https://attack.mitre.org/techniques/T1218/015/) ### Tags electron1passwordslackheap-snapshot ### Deployment Notes Apply this pattern to any Electron app you want to protect. Replace the app path and signing ID with the appropriate values for each application. ### Resources [Trail of Bits: Electron Fuse BypassTake a look](https://blog.trailofbits.com/2025/09/03/subverting-code-integrity-checks-to-locally-backdoor-signal-1password-slack-and-more/) ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)