Over the years, the software development community has created several tools for making their work easier and more efficient. As a result, building applications has become simpler than ever. But with so many options to choose from, which one would be the best for my project? In terms of flexibility and cost-effectiveness, hybrid apps are the future. We interviewed Tauri co-creator Daniel Thompson-Yvetot to teach us about memory optimization and security on hybrid apps and what his tool brings to the table.
Edited transcript
Daniel Thompson-Yvetot is the co-founder of Tauri, a framework for building hybrid apps. Daniel has been part of the open-source community since the early 2000s. “I always had this mixed drive to facilitate communities and do so in a creative way,” he recalls.
Daniel has seen the industry change in a variety of ways since his early days. In his experience, building apps have become a lot easier, or at least, the barrier of entry has lowered. In the past, says Daniel, “you had to be some kind of C++ ninja or write things in some low-level programming language”. To deal with the complexity of programming, the developer community dedicated efforts to design tools that nowadays allow developers to create more in less time.
How Tauri works
Written in web languages such as HTML, CSS, and JavaScript but capable of accessing the system capabilities, hybrid apps can be smaller than native and web apps. In this way, Tauri is meant, on the one hand, to minimize the memory footprint of its apps, and on the other, to make building apps easier. “We want you to ship a secure app as small as possible, that performs perfectly on every device you ship it to, and that’s the confidence we want you to have when you are building your app,” Daniel sums up.
Unlike Electron and Node.js frameworks, which are written in JavaScript and Node.js respectively, the Tauri backend is written in Rust. On the other hand, Tauri uses the system’s browser engine (known as WebView) to contain applications (WebView2 on Windows, WK WebKit on Mac, and WebKitGTK on Linux), while Electron uses Node.js and Chromium.
According to Daniel, the difference between Tauri and other frameworks starts with the size of their applications. “The application size of an Electron app is never going to be smaller than what it needs from Node.js and what it needs from Chromium,” he says. Given these requirements, apps made by those frameworks are bound to size at least 30 to 40 MB. Tauri, on the other hand, uses the system’s WebView, which allows its apps to go without a dedicated browser engine. Moreover, thanks to Rust’s capabilities, Daniel affirms that “the core of a Tauri app can be several hundred kilobytes.”
Tauri’s WebView-engined applications run on HTML, CSS, and JavaScript. To interact with system components such as the file system, Tauri generally uses JavaScript. WebView command permissions, for their part, are set on the Tauri application configuration.
Message Passing
Tauri adopted message passing to communicate between Rust and the application’s WebView. Message passing is a technique for sending messages to a program process to run code. When a user takes an action on the front end, the WebView sends a message through JavaScript communicating the interaction, e.g. an invoke function, and the permissions the function has. After that, a “listener” on the other side, in the main loop of the Tauri application, checks the file system permissions and returns a structured message with the request.
By using the same system going both ways, Daniel says that they reduced the cognitive load. Moreover, he explains that they chose message passing over other options “to isolate the back end from a potentially dangerous user interface”. Daniel says that by isolating the back end, developers can “qualify the source of the API call so that, for example, illicit code can’t spawn a shell command that deletes your et cetera folder.”
Application bundling
Another security concern in app building is application bundling. According to Daniel, Electron exposes the application binary code in the.ASAR file format that is used to bundle the application. To Daniel, this file is “it’s trivial to decompile; there’s just a command on the command line ASAR.” An attacker can use the file to reverse-engineer the entire source code, which means that “for projects that are not open source, that are potentially proprietary, anyone can copy your app.” By copying and pasting the app, malicious actors can repackage it and make an illicit application that looks just like the original.
When Tauri applications are bundled, in turn, they are hard to decompile. Besides, To update apps without exposing them to vulnerabilities when comparing signatures, Tauri has a built-in updater as a way to ensure it is nearly impossible to have access to low-level systems of the application and reverse-engineering it. As Daniel explains it, “when there’s an update, the update blobs get put on your up update or distribution service, and the latest versions with checksums and public tees, et cetera, are placed inside of a JSON file that you then make available to your app users and well, to the system that the app uses.” Developers can also use this JSON file to configure to which platforms the application will ship. Moreover, the updater grants flexibility in other decisions, such as choosing whether or not to force updates by freezing the app until updating.
Getting started with Tauri
Tauri is available on every platform. The only requirements are a) Rust and b) a JavaScript-based front-end framework, such as Node.js. To Daniel, starting using Tauri comes down to being comfortable with JavaScript or TypeScript. Yet, for those who are new to Rust, he recommends visiting Github’s repository Rustlings to learn the basics of the language.
To understand how Rust works, Daniel advises learning about its compiler. According to Daniel, the Rust compiler was the main differentiator to choose it above other languages for writing Tauri. “It really helps you understand where the mistakes are”, he emphasizes.
Note: You can check Tauri’s Getting Started documentation here.
The bottom line
Visit Tauri.app to learn more about the project, have a peek at its documentation, and learn the first steps toward building your app. You can visit Tauri’s Github repository here, check discussions, and if you have encountered problems when using the program, help the community by filing an issue. Follow Tauri on Twitter and get in touch with the community on its Discord. You can also reach Daniel through his Linkedin.
