Desktop App Security
Pencheff statically analyzes desktop application bundles. It classifies the artifact (Electron, Java, .NET, native), unpacks archive-based apps, and inspects configuration and dependencies. The binary is never executed — no detonation sandbox required.
Register a target
Register a Desktop Application target under Mobile & Client
Security with the artifact URL (.zip/.jar/binary) and its SHA-256,
then commission a scan. Walkthrough:
Desktop app static scanning.
What it tests
| Sub-type | Checks |
|---|---|
| Electron | Insecure webPreferences (nodeIntegration:true, contextIsolation:false, sandbox:false, webSecurity:false, allowRunningInsecureContent); dangerous calls (eval, child_process, shell.openExternal); outdated Electron major versions |
| Java / JAR | Embedded secrets and dangerous patterns across the unpacked tree |
| .NET / archive | Embedded secrets, configuration exposure |
| Native (PE/ELF/Mach-O) | Printable-string extraction + secrets sweep |
Electron checks align with the
Electron Security Checklist.
Findings are tagged desktop_misconfig and desktop_secrets, each with
severity, CWE, the file/setting, and remediation.
Honest scope. Archive-based apps (Electron, JAR) get full config + dependency analysis. Opaque native binaries get a strings-based secret sweep; decompiler-grade depth (checksec hardening flags, capa capabilities, .NET/Java decompilation) is beyond this static pass — the report states this per artifact so results are never over-promised.
How it works
- Classify — magic-byte sniff (
PKarchive,MZPE,ELF, Mach-O) and, for archives, look forapp.asar/package.json/*.class. - Unpack — archives extracted with zip-slip and zip-bomb guards.
- Analyze — Electron config + dependency checks on text/asar files; secrets sweep across the tree; strings-based sweep for raw binaries.
MCP tool
Exposed to MCP hosts as scan_desktop(session_id, app_path).