Knock knock. Who's there? More scam apps on Canonical's Snap Store!

Quoting: eldaking1) They really should be manually reviewing at least new dev accounts. Checking not only every new app but every update to new app (easy enough to put something harmless and then push the malicious part as an update) is a lot of work, but if any rando can create an account and start publishing apps? That is bad
2) So much work put into containerization/sandboxing, and you just let anyone distribute apps that ask for people's logins. I mean, it is good that apps can't go steal your browser cookies or replace your bootloader, don't get me wrong. But looks like there was some easier, low-tech work (having people check apps for obvious red flags) that needed to be done anyway, and it was not.

Completely agree. This is not something you're going to pick up easily except via manual review.

Quoting: eldaking3) They should ban absolutely all cryptocurrency apps regardless. First they are exceptionally high-risk, but also fuck ponzicoins.

Mark Shuttleworth already voted not to do that: https://www.gamingonlinux.com/2024/02/snap-store-from-canonical-ubuntu-hit-with-another-crypto-scam-app/

Also, Alan Pope's article mentions that someone lost 490k to one of these crypto scam apps.

Quoting: eldaking4) The snap store is a (partial) move from a repository that Canonical actually maintains themselves (maybe badly, but they put the software there and could make all choices) to a store where they are just a middleman, and that lets devs keep control. It is obvious that for them it is less work and more profitable, and that it is attractive for proprietary apps... but this showcases exactly the kind of problem of this approach: you are getting blackbox software from a bunch of randos, not free software from a trusted distro.

This is probably an unpopular opinion, but I want proprietary software on Linux. If the Snap Store is the only way I can download Adobe After Effects, I'm completely willing to do that. The Snap Store and Flathub makes it easier for Adobe to target Linux should they ever change their mind about whether to support it in the next 15 years.

iOS doesn't have this problem on nearly the same scale despite how much more popular their app store is than the Snap Store. Yes, malicious apps have found their way onto the App Store over the past 15+ years, but only a small number of them and not regularly. Almost every app on iOS is proprietary. Yes, they have a lot more manpower to review the apps, but it shows it's possible to safely vet proprietary software.

Preventing this malware from getting on the Snap Store doesn't require analyzing the code. It requires a reviewer to realize this company is impersonating popular finance-related software they did not develop. What's that saying? "When you're wearing rose-tinted glasses, all the red flags just look like flags."


Last edited by pleasereadthemanual on 19 March 2024 at 1:22 pm UTC

Quoting: Boldos

Quoting: kerossinOk, so what's the point of the Snap Store?

I thought the whole point of having a closed and official Canonical-controlled store was trust - you will be getting only legit apps approved by Canonical and not some wild west of community sources.

But since Canonical does no checks it's pointless.

Random user: Hey, this is PayPalV2.
Canonical: Welcome aboard! Don't reply, this was an automated message

Well, the original point of having a Snap store was to have containerized desktop apps on Linux desktop.

Anyway, is this happening on Flathub too, or snap is just more discussed with this issue?

I think you're conflating Snaps themselves and the Snap Store.

I'm not talking about the actual packaging of apps, I'm talking about the place where you get them.

Canonical chose to keep the store itself proprietary and not have the stores configurable in their implementation of snapd.

is jaxxliberty a NSFW app with lot of scams from africa and singapore ?

Quoting: NathanaelKStottlemyer

Quoting: BrokattPopeye is such a great guy. Even though he's left Canonical behind, he's still involved with Ubuntu and Snaps.

Popeye?

Sorry I meant popey ofc :) Alan "popey" Pope used to host the Ubuntu Podcast among a lot of things. A pretty prominent figure in the Ubuntu community and just a lovely nerd.


Last edited by Brokatt on 19 March 2024 at 3:43 pm UTC

They should require that the official project website links to the snap store package to verify that it's from them. Then they can at least do a basic automated verification process.

For hobby repackagers, like the people who wrap old games, just have a big fat "Unverified Publisher, Confined but Potentially Unsafe, Guard your Personal Information" badge.

I have a profoundly insightful contribution to make to the discussion:

I think something like 'Who’s at the door? ... Canonicals snap store' would rhyme better.

Quoting: pleasereadthemanualThis is probably an unpopular opinion, but I want proprietary software on Linux. If the Snap Store is the only way I can download Adobe After Effects, I'm completely willing to do that. The Snap Store and Flathub makes it easier for Adobe to target Linux should they ever change their mind about whether to support it in the next 15 years.

iOS doesn't have this problem on nearly the same scale despite how much more popular their app store is than the Snap Store. Yes, malicious apps have found their way onto the App Store over the past 15+ years, but only a small number of them and not regularly. Almost every app on iOS is proprietary. Yes, they have a lot more manpower to review the apps, but it shows it's possible to safely vet proprietary software.

Preventing this malware from getting on the Snap Store doesn't require analyzing the code. It requires a reviewer to realize this company is impersonating popular finance-related software they did not develop. What's that saying? "When you're wearing rose-tinted glasses, all the red flags just look like flags."

Nah I agree and I think most people would - most games are proprietary, and we aren't just giving up those, plus a lot of other apps including some we might need for work (so not even a choice).

I'm just saying that the model preferred by proprietary apps - a store that sells pre-packaged, ready-to-run software - has this drawback, moving trust from "the people that make your OS" into "a million devs that it is hard to hold accountable". It isn't even about having access to source code to audit it, just about the hands-off approach, about the implicit expectations of developers in each case, etc.

Quoting: eldaking

Quoting: pleasereadthemanualThis is probably an unpopular opinion, but I want proprietary software on Linux. If the Snap Store is the only way I can download Adobe After Effects, I'm completely willing to do that. The Snap Store and Flathub makes it easier for Adobe to target Linux should they ever change their mind about whether to support it in the next 15 years.

iOS doesn't have this problem on nearly the same scale despite how much more popular their app store is than the Snap Store. Yes, malicious apps have found their way onto the App Store over the past 15+ years, but only a small number of them and not regularly. Almost every app on iOS is proprietary. Yes, they have a lot more manpower to review the apps, but it shows it's possible to safely vet proprietary software.

Preventing this malware from getting on the Snap Store doesn't require analyzing the code. It requires a reviewer to realize this company is impersonating popular finance-related software they did not develop. What's that saying? "When you're wearing rose-tinted glasses, all the red flags just look like flags."

Nah I agree and I think most people would - most games are proprietary, and we aren't just giving up those, plus a lot of other apps including some we might need for work (so not even a choice).

I'm just saying that the model preferred by proprietary apps - a store that sells pre-packaged, ready-to-run software - has this drawback, moving trust from "the people that make your OS" into "a million devs that it is hard to hold accountable". It isn't even about having access to source code to audit it, just about the hands-off approach, about the implicit expectations of developers in each case, etc.

You're right. The "pull" model distros use is necessarily more secure than the "push" model stores like Snap and Google Play use. Unfortunately, I also think it's the right model. It's not perfect, but you can definitely do a much better job than Canonical at policing your store. Even Debian can't package all the software you want or need. It's the main reason I run Arch Linux—it's very easy to get software I want up and running through an AUR PKGBUILD someone has written.

Even Flatpak/Snap isn't for everybody; Blackmagic Design thinks their DaVinci Resolve software is too complex to be packaged that way. I can't imagine what Adobe would think if they entertained the idea.

Installing the software you want on Linux should not be this hard. I think the Snap and Flathub idea is the right way to go. Flathub seems to have a lot more moderation, and they're tightening up moderation even though they have had no malware reports thus far.

I realize now that Flathub has actually hit 1.7 billion downloads, not million. It might be more popular than the Snap Store now. It still has fewer apps, though.


Last edited by pleasereadthemanual on 20 March 2024 at 4:39 am UTC

Knock knock. Who's there? Snap. Snap who? Oh snap I got scammed again.