Open source Socket Runtime arrives, with aim to drop cloud as a dependency

Interview Socket Supply Co introduced Socket Runtime today, an open source runtime for creating native mobile and desktop applications for Linux, macOS, or Windows using web technologies, but with optional peer-to-peer connectivity as a way to supplement or even avoid backend cloud services.

A runtime is an environment for executing code. Web browsers serve as runtimes for JavaScript code. There are also server runtimes like Node.js, Deno, and Bun – for JavaScript apps that run outside of browsers. And there are app runtimes like Electron, Tauri, and Socket Runtime – for JavaScript apps that run locally on desktop devices (and mobile for the later two).

Electron, a popular open source framework for building cross-platform apps with web technologies (JavaScript, CSS, HTML), relies on the Chromium browser engine for rendering web pages and the Node.js runtime environment. It pulls together a Node.js main process, for handling server-oriented functions and things like file access, with Chrome renderer processes for presenting HTML-based user interfaces.

"The big problem with Electron is it was never designed to run on mobile," said Paolo Fragomeni, CEO of Socket Supply Co, in an interview with The Register.

Tauri is an open source framework for building mobile and desktop apps for various native platforms using Rust and a WebView for rendering HTML. Tauri apps don't ship with a runtime because the final binary is compiled Rust.

But Fragomeni contends Socket Runtime is preferable because there's no new programming language to learn. "With Tauri, there's Rust, and that's a non-starter for the majority demographic of web developers," he said.

He raised similar objections to Google's Flutter framework. "Flutter again introduces this new language to learn, Dart, which is rather obscure in the big picture," he said, though he conceded that Google "has great engineers working on that stuff."

Fragomeni argues that web technologies are the way to go, echoing JavaScript creator Brendan Eich's rallying cry: "Always bet on JS!"

"We love the web," said Fragomeni. "There're more web developers than any other kinds of developers. The web has the best documentation, the most well known design patterns, and the biggest companies are invested in it."

But browsers, he says, were designed for a specific sort of client-server software, so we've seen efforts like Electron and Tauri (not to mention Capacitor, Cordova, Ionic, NativeScript and React Native) to bring web technology to native app development. These have been welcomed, he says, because targeting multiple platforms is a challenge from a development and a management standpoint.

"It's really difficult to find, hire, and then incentivize and maintain an Android engineer, an iOS engineer, a Windows desktop engineer, a macOS engineer, and a Linux engineer," he said.

"Socket helps web developers to create apps for any OS, desktop, and mobile. And that's using HTML, CSS and JavaScript, or their favorite frameworks."

Socket Runtime also has a size advantage over Electron – it produces much smaller apps. Electron, he says, provides "a 200 megabyte binary basically at the end of the day, whereas Socket ships a 1.5 megabyte binary. And that's a pretty big deal if you want to address emerging markets."

Tauri is competitive in terms of binary size, though Fragomeni takes issue with Tauri's architectural choices for being insecure despite the memory safety advantages available in Rust.

"Tauri, there's great work in it," he said, "but they've carried over the idea of the main process [as seen in Electron]. The main process is this sort of arbitrary process that runs on your computer. It has complete unmitigated access to your computer, and there's no way for a user to have any assurances about what this process would do."

"Socket takes a radically different approach in that we embrace web standards," said Fragomeni. "In web standards, there's a thing called the CSP – content security policy. We use that to actually mitigate, in a fine-grained way, the IPC [inter-process communication] calls that go to the middle layer."

The middle layer, he explains, handles filesystem access, provides UDP over JavaScript, and so on. But it does so using a URI-based scheme. "So I can actually do things like whitelist certain kinds of file system calls or certain paths or certain functions, and I can get really fine-grained control but using a web standard," he said.

Socket apps, Fragomeni says, rely on the WebView component that now exists within the major operating systems, though in varied forms. "This component is inconsistent across the operating systems, so what we do is we normalize it," he said.

What sets Socket Runtime apart is its peer-to-peer (P2P) support, which Fragomeni says differs significantly from the P2P designs that emerged two decades ago, like the Kademlia distributed hash table.

• So you want to integrate OpenAI's bot. Here's how that worked for software security scanner Socket
• Free-Teams-gate: Docker apologizes for shooting itself in the foot
• The npm registry's safe word is Socket
• One third wiped off value of GitLab shares, Wall Street didn't like weaker outlook

"The network topologies of today, because of mobile usage patterns, they're completely different from the early 2000s," he explained. "The modern peer-to-peer protocol that we've developed really factors this in. We have a small window of time to satisfy the user. And so we've departed quite a bit from the popular designs of peer-to-peer protocols that we've seen over the last couple of decades, like BitTorrent or libp2p."

Fragomeni says the Socket Runtime P2P spec consists of less than 1,500 lines of code in pure JavaScript. So it can be learned, understood and audited.

The rationale for using P2P, according to Fragomeni, is that it can emancipate developers from costly cloud services.

"My relationship with the cloud is that it's a landlord-tenant relationship," he said. "I'm beholden to Jeff Bezos or whoever, and I'm in a lifelong lease with my product after I build it because there's a lot of pipes to fit together. There's a lot of glue code that connects these different services – a lot of risk basically."

"Cloud is everybody's biggest cost. It's crazy that we're paying so much money to do these sort of mindless ceremonies around piping together these pieces [of apps] that at the end of the day, are not really adding that much value, though they're adding a lot of complexity."

That doesn't mean cloud services like storage aren't appropriate for certain use cases.

"Storage all depends on the access patterns your app has," said Fragomeni. "So for example, if I wanted to build an Notion clone, the data can be distributed to users in the org, because of how our protocol works, data is buffered though the network; the app will continue to work even if people are offline.

"But let's say you have petabytes of film archives that almost no one will access for long periods of time, this would be a great use case for Amazon's Cold Storage."

Asked whether a Socket P2P-enabled app would drain a mobile device battery as it runs in the background, Fragomeni insisted the app would not need to make excessive demands on the user's device. "Statistically, if everybody makes small contributions to building the network, it actually works out pretty well probabilistically," he said. "Then, the reliability part of it, in simulations that we've seen from a corpus of academia, we're able to get high reliability that is equal to the reliability that we see in the cloud."

"P2P doesn't imply in any way that a user's storage or compute resources are up for grabs," he added. "No one except the developer has control over your computational resources, and that's exactly the same as with a web app or native app that uses the cloud."

The Register asked Feross Aboukhadijeh, founder and CEO of Socket Inc – an unrelated open source security company – what he thinks of Socket Runtime.

"Socket Runtime is exciting to developers for a number of different reasons," said Aboukhadijeh, noting that he knows some of the people who work at Socket Supply Co. "For one, they address one of end users' biggest complaints with Electron, the binary size. Electron binaries are large because they include an entire copy of Blink [Chrome's rendering engine] and Node.js. But Socket Runtime uses the OS's native webview, so there's no need to include an entire browser in the binary. Unlike Electron, it also works on mobile."

"The inclusion of P2P as a first-class consideration is super exciting and sets this apart from Electron," he continued. "The benefits of P2P apps are numerous: better privacy since data doesn't need to be stored in the cloud, better offline support, and lower server costs for app creators."

Socket Runtime is free, open source software. To support its continued operation, the company is selling application performance management through an app called Socket Operator.

"Socket Operator, our commercial offering, includes a complementary application performance management product (APM) that is used to diagnose and remediate issues within the Socket apps you build," explained Fragomeni. "There are additional plugins such as one click multi-store deploy in our Operator app, similar to an AWS console, that help developers throughout the entire lifecycle of building their apps."

"It is NOT necessary, you can deploy a commercial app without it. However, if you are deploying a commercial app, having some type of monitoring/APM tool is a best practice (ie, if anything goes wrong you are going to want to be able to diagnose and fix issues in your application)."

It's perfectly possible to make a Socket Runtime app, build it for a native platform like macOS, and never use any P2P networking. But Fragomeni believes P2P makes sense at a time when so much computation is taking place at the network's edge.

"When we start talking about things like this – replacing the cloud or even supplementing it significantly – it's a pretty big claim," said Fragomeni. "People think the cloud is just getting started. 'How could there be people trying to replace it already?'"

"But I think that it's true, as they say, that everything popular in technology gets replaced by something else. And it's almost always a surprise ... I think as we start to see this proliferation of hardware, and as we start to see this incredible increase of creation of content data towards the network edge ... these round trips to the datacenter, they just stopped making sense after a while." ®