Isolation Pattern in Tauri is a really powerful way to help protect
your Tauri Application’s Core Process from Unnecessary, Unwanted or Malicious Frontend calls.
In this Article, we will take a closer look at
- What is Isolation Pattern in Tauri
- Why we should always use Isolation Pattern in Tauri
- And Finally, Flow of an IPC Message when using Isolation Pattern in Tauri
to get a better understanding on how we can further secure our Tauri Applications from malicious actors.
So, without further ado, let’s get started!
This Article is part of Minimalist Text Editor Using Rust and Tauri Tutorial Series
- Setting Up The Development Environment for Rust Programming Language
- Creating The Rust Project Using Cargo and Understanding Rust Project Folder Structure
- Tauri and Reasons For Using It in Our Rust based Minimalist Text Editor
- Understanding Tauri Multi-Process Architecture, Core Process & WebView Process
- Understanding Tauri Inter-Process Communication (IPC) | Events & Commands
- What is Isolation Pattern in Tauri and Why you should be using it <— You’re Currently Here :p
- Security Features and Practices to understand when Developing Applications using Tauri
What is Isolation Pattern in Tauri
Isolation Pattern can be used by developers of Tauri Applications
to Intercept and Modify the Inter-Process Communication (IPC) Messages from the Frontend i.e. WebView Processes
before they can even reach the Tauri Core Process.
The way this works, is that you have your Frontend i.e. your WebView Processes for your GUI (Graphical User Interface)
and then you have your Tauri Core Process which contains your business logic.
Now, when we use the Isolation Pattern, we are literally injecting a Secure Isolated Application
between the Frontend and the Core Process, such that any IPC Messages like Events or Commands
being passed from the Frontend to the Core Process, will be intercepted by this Isolated Application.
We can then securely verify and modify these intercepted IPC Messages to check for any
Unnecessary, Unwanted or Malicious Requests based on specific criteria.
If we find that everything is how would expect it to be,
the Secure Isolated Application will then Encrypt the IPC Message using the Browser’s SubtleCrypto Implementation
and send it back to the Main Frontend Application
which will then send the Encrypted IPC Message to the Tauri Core Process.
The Tauri Core Process can they decrypt the encrypted IPC Message, to read it like it normally would.
The Developers have also thought about the issue that someone can read the Encryption Keys manually
for a specific version of your Tauri Application,
which can be a huge problem as then that person can modify the Encrypted IPC Message.
So to mitigate this issue, Tauri generates new Encryption Keys, each time your user run your Tauri Application.
Why we should always use Isolation Pattern in Tauri
Developing a modern complex application will often have a lot of Third-Party Dependencies
which will also have their own third party dependencies themselves and so on.
Also a large amount of these dependencies will be bundled into the final binary.
These web of often deeply nested third party dependencies can be an Attack Vector
as if even one of these third-party dependencies gets compromised
and tries to access things that it has no need or right to access,
then your whole application will get compromised.
A very real risk all of us face is what is known as “Supply-Chain Attacks”,
which are usually considered to be attacks on the Direct Dependencies of your project.
Now you should always try your best and do your due diligence to make sure that
the third party dependencies are being maintained regularly and securely, but that is not enough
and these Development Threats are also the reason that Tauri Developers created the Isolation Pattern.
The need for the Isolation Pattern is because of these threat coming from Untrusted Content running on the Frontend.
When developing your Tauri Application you should always assume that the frontend is Compromised
and thus, any communication that’s happening from the Frontend has a high chance of being malicious.
All in all, you should try your best to minimize your external dependencies
and use the Secure Isolation Application to verify the incoming IPC Messages to mitigate malicious requests from Frontend.
Flow of an IPC Message when using Isolation Pattern in Tauri
- Tauri’s IPC handler receives message
- IPC handler —> Isolation Application
- [sandbox] Isolation application hook runs and potentially modifies the message
- [sandbox] Message is encrypted with AES-GCM using a runtime-generated key
- [encrypted] Isolation application —> IPC handler
- [encrypted] IPC handler —> Tauri Core
Note: Arrows (—>) indicate IPC Message Passing.
We will look at how you can Create and Configure
your Tauri Application with Isolation Pattern in the upcoming articles
For now, I just wanted you to understand what Isolation Pattern was
and the reason behind why we should always use Isolation Pattern in Tauri.
This Article is part of Minimalist Text Editor Using Rust and Tauri Tutorial Series
- Setting Up The Development Environment for Rust Programming Language
- Creating The Rust Project Using Cargo and Understanding Rust Project Folder Structure
- Tauri and Reasons For Using It in Our Rust based Minimalist Text Editor
- Understanding Tauri Multi-Process Architecture, Core Process & WebView Process
- Understanding Tauri Inter-Process Communication (IPC) | Events & Commands
- What is Isolation Pattern in Tauri and Why you should be using it <— You’re Currently Here :p
- Security Features and Practices to understand when Developing Applications using Tauri
Conclusion
Well Folks! That does it for this article.
I hope that you found this information on Isolation Pattern in Tauri useful.
In the next article, we delve more into Security Practices when Developing Applications using Tauri.
May you have success in your career whatever it may be.
See you again in the upcoming articles!
Share this post on Social Media platforms, if you think our content is great.
If you like the content and would like to follow us, we are present on the platforms below
Follow Us On Social Media
Goodbye For Now,
This is your host VP
Signing Off.
Articles On Minimalist Text Editor Using Rust Programming Language And Tauri
Setting Up The Development Environment for Rust Programming Language
Creating The Rust Project Using Cargo and Understanding Rust Project Folder Structure
Tauri and Reasons For Using It in Our Rust based Minimalist Text Editor
Understanding Tauri Multi-Process Architecture, Core Process & WebView Process
Understanding Tauri Inter-Process Communication (IPC) | Events & Commands
What is Isolation Pattern in Tauri and Why you should be using it
Security Features and Practices to understand when Developing Applications using Tauri
