FeaturesDesktop App Security

Desktop App Security

Pencheff statically analyzes desktop application bundles. It classifies the artifact (Electron, Java, .NET, native), unpacks archive-based apps, and inspects configuration and dependencies. The binary is never executed — no detonation sandbox required.

Register a target

Register a Desktop Application target under Mobile & Client Security with the artifact URL (.zip/.jar/binary) and its SHA-256, then commission a scan. Walkthrough: Desktop app static scanning.

What it tests

Sub-typeChecks
ElectronInsecure webPreferences (nodeIntegration:true, contextIsolation:false, sandbox:false, webSecurity:false, allowRunningInsecureContent); dangerous calls (eval, child_process, shell.openExternal); outdated Electron major versions
Java / JAREmbedded secrets and dangerous patterns across the unpacked tree
.NET / archiveEmbedded secrets, configuration exposure
Native (PE/ELF/Mach-O)Printable-string extraction + secrets sweep

Electron checks align with the Electron Security Checklist. Findings are tagged desktop_misconfig and desktop_secrets, each with severity, CWE, the file/setting, and remediation.

⚠️

Honest scope. Archive-based apps (Electron, JAR) get full config + dependency analysis. Opaque native binaries get a strings-based secret sweep; decompiler-grade depth (checksec hardening flags, capa capabilities, .NET/Java decompilation) is beyond this static pass — the report states this per artifact so results are never over-promised.

How it works

  1. Classify — magic-byte sniff (PK archive, MZ PE, ELF, Mach-O) and, for archives, look for app.asar / package.json / *.class.
  2. Unpack — archives extracted with zip-slip and zip-bomb guards.
  3. Analyze — Electron config + dependency checks on text/asar files; secrets sweep across the tree; strings-based sweep for raw binaries.

MCP tool

Exposed to MCP hosts as scan_desktop(session_id, app_path).

See also