28

Yesterday I found out this application called Franz. Their policy says they don't collect any information about your chats and can't read them (because it's just an application who bundles them all and doesn't serve as sender).

But I was wondering, is it actually more secure to use for example Whatsapp Web in Franz instead of the browser? When you use a browser you'd be more vulnerable to browser-exploits, no? So, by using Franz you separate your browsing activity from your chats, so your chats are more secure?

TL;DR: Is it more secure to use web-based chatservices like e.g Whatsapp-Web in Franz than in your normal browser.

Anders
  • 64,406
  • 24
  • 178
  • 215
O'Niel
  • 2,740
  • 3
  • 17
  • 28
  • 1
    There are no detailed information available, just claims. This makes this question primarily opinion based since the answers cannot rely on facts, just unproven claims and assumptions. If you fear of mixing Whatsapp Web with the rest of the browsing just use a different browser or a separate browser profile for this. – Steffen Ullrich Mar 17 '17 at 11:19
  • As of Franz 5 the source code is available on Github https://github.com/meetfranz/franz – Waqleh Nov 23 '17 at 12:40

1 Answers1

62

But I was wondering, is it actually more secure to use for example Whatsapp Web in Franz instead of the browser?

No, Franz is not inherently more secure than a regular browser.

Under the hood, Franz actually uses a web engine itself as you can tell from grepping through the binary. It is built with electron (which is based on Chrome which uses Blink, a WebKit fork). Further, since Franz combines multiple services, a vulnerability in the app could potentially compromise all your messaging profiles at once. In general I'd be careful about using third-party apps instead of the native clients or their respective web services. Franz in particular is rather new, it's not quite clear who the individual developers are, there is no evidence that the code has ever had a thorough security auditing and it is closed-source which doesn't necessarily build up trust.

Edit: Doesn't look good.

XSS

In an ordinary web application the impact of this XSS flaw would have been restricted to that particular domain, but in a desktop application it endangers the host itself.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • Oh! I missed that, is there also an open-source alternative supporting Slack, Whatsapp,... ? – O'Niel Mar 17 '17 at 11:43
  • 5
    @O'Niel I'd go with the native clients if possible. – Arminius Mar 17 '17 at 12:00
  • 29
    +1 for actually finding a vulnerability in Franz. You can also run WhatsappWeb in a separate browser installation (like Chrome and Canary) and it would be safer since no extensions could compromise you. Note that WhatsApp Web still sends data through your phone so if that's compromised your chats are compromised too. – Benjamin Gruenbaum Mar 17 '17 at 13:45
  • 2
    @O'Niel Rambox is an open source alternative, http://rambox.pro/ – Matt Mar 17 '17 at 16:10
  • And would it actually make a difference if I'd use Rambox with something like Firejail? Than I still have the risk all my chats get compromised but wouldn't that also be the case if I ran them all in my browser? – O'Niel Mar 17 '17 at 19:26
  • I couldn't understand how this XSS flaw causing the security danger. And do Franz still have this security problem or do they have any new ones? @Arminius – alper Jul 19 '20 at 14:56
  • Is `rambox.pro` secure to use? @O'Niel – alper Jul 19 '20 at 15:01
  • @alper https://github.com/ramboxapp/community-edition/issues/1765 I don't know, it's actually just a separate webbrowser. I guess it could be safer if you run it in a separate container. – O'Niel Jul 19 '20 at 18:27