First page design
Site Theme
The Snap Store, where containerized Snap apps are distributed for Ubuntu’s Linux distribution, has been under attack for months through fake crypto wallet downloads that seek to borrow from users’ coins. As a result, engineers at Ubuntu’s parent company now manually review apps uploaded to the store. Buy before they are available.
The move follows weeks of reports from Alan Pope, a former Canonical/Ubuntu member of the Snapcraft team, who is still very active in the ecosystem. In February, Pope wrote in a blog post that a bitcoin investor had lost nine bitcoins (about $490,000). at that time) using the “Exodus Wallet” app from the Snap store. Exodus is a well-known cryptocurrency wallet, however, this wallet did not originate from this entity. As detailed by one user who wondered what happened on the Snapcraft forums, the wallet promptly transferred its entire balance to an unknown address after entering a 12-word recovery word (which is what Exodus tells you never to do on pages).
Pope is careful to point out that cryptocurrencies inherently carry a threat of loss. Still, the Ubuntu App Center, which features the Snap Store for desktop users, has flagged the “Exodus” app as “safe,” and the Internet edition of the Snap Store describes it. It is set to “safe to run”. While Ubuntu describes applications as “secure” in the sense of being a container that automatically updates with runtime contention (or “in a sandbox”), a green checkmark with “Secure” next to it can simply be misinterpreted. , especially through a newcomer to Ubuntu. Snaps and Linux in general.
More than that, Pope’s post emphasizes that writing, packaging, and uploading the Snap to the Ubuntu store generates an app that is “immediately searchable and that anyone, almost anywhere, can download, install, and run” (Pope’s emphasis). He noted that “there are no humans in the circuit. “
Mark Shuttleworth, founder of Ubuntu and CEO of Canonical, responded to a similar thread about whether crypto apps should be banned entirely. “I agree that cryptocurrencies are largely a cesspool of vile intentions, even if the math is interesting,” Shuttleworth wrote. On Ubuntu, it was “right to challenge ourselves” to offer more security measures, “even though they will never be perfect. “Making apps safer for others vulnerable to social engineering is “a very complicated problem, yet I think we can and take it on,” Shuttleworth wrote.
However, he disagrees with cryptocurrency apps being widely banned.
After what Shuttleworth described as “a silent war against those actors over the last few months” (which, according to Pope, was underway earlier this month), Snaps are indeed changing.
On the Snapcraft forums, Holly Hall, a product manager at Canonical, the Ubuntu installs company, wrote last week about a new manual review policy for all new Snap registrations. Engineering groups will review programs and contact editors to determine calls and intents. The call “suspected of being malicious or connected to a crypto wallet” will be rejected. A policy related to how to properly post a crypto wallet on the Snap store is coming, Hall wrote.
As noted via The Register, sandboxed app platform (store) Flathub has recently made similar tweaks to its validation process. Flathub now reports on apps that have made noticeable tweaks to requests for permission or package names. Open-source repositories have long faced disruption with malicious attacks. similar downloads, adding the PyPI index for Python programming.
Ars has reached out to Canonical for comment and will update if we hear back.
Join the Ars Orbital Transmission email to receive weekly updates in your inbox. Sign up →