Canonical Addresses Ubuntu Linux Snap Store's 'Security Failure'

Last week, an app on the Ubuntu Snap Store caused a stir when it was found to be riddled with a script that is programmed to mine cryptocurrency, a phenomenon whose traces has been found in several popular application stores in the recent months. Canonical promptly pulled the app from the store, but offered little explanation at the time. On Tuesday, Ubuntu-maker addressed the matter in detail. From a report: The big question is whether or not this is really malware. Canonical also pondered this and says the following. "The first question worth asking, in this case, is whether the publisher was in fact doing anything wrong, considering that mining cryptocurrency is not illegal or unethical by itself. That perspective was indeed taken by the publisher in question here, who informed us that the goal was to monetize software published under licenses that allow it, unaware of the social or technical consequences," the company wrote in a blog post.

"The publisher offered to stop doing that once contacted. Of course, it is misleading if there is no indication of the secondary purpose of the application. That's in fact why the application was taken down in the store. There are no rules against mining cryptocurrencies, but misleading users is a problem," it added.

Unfortunately, Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them.

Re:Pay canonical or other trusted institution

[Desler]

Why would they ever want to take on such liability especially for only “a small amount of money.” No one is gonna up themselves up to potential legal liability like that.

App Stores considered harmful

I believe this attitude of Canonical to be highly problematic. The tight integration of Snap packages from their "store" into how software is managed on newer Ubuntu systems gives users the impression that the software that can be installed in this way has at least been curated to some extent by Canonical. I don't think an unexperienced user will be able to easily understand the difference between a Snap package a standard APT/dpkg package that is part of the underlying distribution. And because the software is not actually curated at all this creates a false sense of security. Apple and Google are also not great here, but given the volume of apps on Android and iOS they've at least thrown some resources at the problem instead of burying their head in the sand like Canonical is doing.

This is not the first place where Canonical has been horrible in this regard, if you look at how PPAs have been handled in the past. Get a launchpad account and you can upload anything you want - and a single call to "apt-add-repository" will enable that PPA on a local system - without any real indication to the user what the consequences of adding an APT repository actually are. In that sense Snap packages are actually an improvement here, because at least those don't get auto-root on your system.

That said: at least Canonical is doing other stuff right here - if I look at how people do development / DevOps nowadays, I'm actually quite impressed that not many more people have been owned already. "Oh, let me base my Docker container on some random image I found, which in turn is based on some other image, which in turn is based on yet another image, etc. because 10 random anonymous strangers would never introduce malware at some point in that chain.", "Build systems that auto-download stuff from the web without doing signature checks - what could possibly go wrong?"

Re:"Trust" is a distraction.

Do these sandboxes allow the user to see how much CPU is being used and what the application is doing on the network? If so then I don't see what the problem was here. I assume the user could see how much CPU and network the app was using, and decide from there whether they liked the app or whether they wanted to find a more efficient one. Does it really matter whether the app was using the CPU to mine bitcoin vs. just being written really inefficiently and wasting CPU time and network resources on nothing of value? Either way it's just a shitty app.

Perhaps software should be up-front about this, but assuming a good sandbox, this wasn't a "security failure" at all.

Re:Stealing

[drinkypoo]

If the user is expecting the program to mostly do one thing and it mostly does some other thing, hiding that fact deep in the EULA doesn't excuse it. It's a deliberate attempt to deceive.