Possibility of malicious apps in OpenStore

jezek · 24 Mar 2024, 16:57

I don't know any malicious app in OpenStore, but...

Can OpenStore be hijacked like Snapstore with malicious apps, like in the SnapStore case with malicious bitcoin wallets?

They had to switch to manual review.
https://linuxiac.com/snap-store-now-requires-manual-review-for-the-apps/

From what I read/saw about the apps, they were all web-app like apps, that gave the (only) possibility to import a wallet and then sent all private data to attacker. Isn't this possible to do within a coffined app in Ubuntu Touch too?

dobey · 24 Mar 2024, 19:55

@jezek said in Possibility of malicious apps in OpenStore:

Isn't this possible to do within a coffined app in Ubuntu Touch too?

It's possible to do on any system, really, and has nothing to do with the app store side of things. And nothing really stops users from opening malicious sites that might do such things, in a browser, either.

AppLee · 27 Mar 2024, 21:14

Hi @jezek

The simple answer is if you give an app access to any data, they can do whatever they want so be careful who you entrust with your data.

To be more Ubuntu Touch specific, IIRC the internet connection is granted for all app.
So everything handled by the app can leak to anywhere in the world.
The confinement in Ubuntu Touch prevents access to your camera or microphone, your address book, pictures that the user didn't grant specifically.

And of course comments can be used to report eventual code reviews or analysis of external connections.

dobey · 27 Mar 2024, 21:18

@AppLee said in Possibility of malicious apps in OpenStore:

To be more Ubuntu Touch specific, IIRC the internet connection is granted for all app.

It is not. An app must specify the "network" profile in its apparmor config, IIRC, to be able to access the internet.

AppLee · 27 Mar 2024, 21:21

You're right @dobey

What I wanted to say is that I don't think the user is prompted and can revoke this right except by uninstalling the app.
When for the camera, the GPS location or a contact there is a prompt to allow it explicitly.

kugiigi · 28 Mar 2024, 06:54

Embedded webviews are probably the most dangerous since the dev can inject malicious stuffs. They can't do malicious things with your local data but they can with your online data and information

domubpkm · 28 Mar 2024, 09:29

@kugiigi The basis is therefore that Sapot and Morph are safe and we want to think that this is the case as we have confidence in developers.

kugiigi · 29 Mar 2024, 15:51

@domubpkm That's the idea yes. I mean that's true in everything. We live in a trust-based society

Speaking of, I think we also need OpenStore to require publishing apps straight from their public repo if they're open source. Because for example me, I'm lazy so I haven't setup to automatically publish builds from repo. I can technically build my apps with malicious codes and publish that without showing those codes in the public repo

ikoz · 29 Mar 2024, 16:18

@kugiigi That is what Fdroid does, if I remember correctly. You submit an app via a pull request, a bot checks the source code and if everything is fine a person reviews the app and it is built on theirs servers from the git repo.

arubislander · 29 Mar 2024, 17:16

@kugiigi closed source apps are currently allowed in the Open Store, as long as they are confined.

Of course it is now evident that apps accessing the network should be under more scrutiny. Too bad that is most apps nowadays.