• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
UBports Robot Logo UBports Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

Possibility of malicious apps in OpenStore

Scheduled Pinned Locked Moved Off topic
10 Posts 7 Posters 706 Views 5 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jezek
      last edited by 24 Mar 2024, 16:57

      I don't know any malicious app in OpenStore, but...

      Can OpenStore be hijacked like Snapstore with malicious apps, like in the SnapStore case with malicious bitcoin wallets?

      They had to switch to manual review.
      https://linuxiac.com/snap-store-now-requires-manual-review-for-the-apps/

      From what I read/saw about the apps, they were all web-app like apps, that gave the (only) possibility to import a wallet and then sent all private data to attacker. Isn't this possible to do within a coffined app in Ubuntu Touch too?

      jEzEk

      D A 2 Replies Last reply 24 Mar 2024, 19:55 Reply Quote 0
      • D Offline
        dobey @jezek
        last edited by 24 Mar 2024, 19:55

        @jezek said in Possibility of malicious apps in OpenStore:

        Isn't this possible to do within a coffined app in Ubuntu Touch too?

        It's possible to do on any system, really, and has nothing to do with the app store side of things. And nothing really stops users from opening malicious sites that might do such things, in a browser, either.

        1 Reply Last reply Reply Quote 0
        • A Offline
          AppLee @jezek
          last edited by AppLee 27 Mar 2024, 21:14

          Hi @jezek

          The simple answer is if you give an app access to any data, they can do whatever they want so be careful who you entrust with your data.

          To be more Ubuntu Touch specific, IIRC the internet connection is granted for all app.
          So everything handled by the app can leak to anywhere in the world.
          The confinement in Ubuntu Touch prevents access to your camera or microphone, your address book, pictures that the user didn't grant specifically.

          And of course comments can be used to report eventual code reviews or analysis of external connections.

          D 1 Reply Last reply 27 Mar 2024, 21:18 Reply Quote 0
          • D Offline
            dobey @AppLee
            last edited by 27 Mar 2024, 21:18

            @AppLee said in Possibility of malicious apps in OpenStore:

            To be more Ubuntu Touch specific, IIRC the internet connection is granted for all app.

            It is not. An app must specify the "network" profile in its apparmor config, IIRC, to be able to access the internet.

            A 1 Reply Last reply 27 Mar 2024, 21:21 Reply Quote 0
            • A Offline
              AppLee @dobey
              last edited by 27 Mar 2024, 21:21

              You're right @dobey

              What I wanted to say is that I don't think the user is prompted and can revoke this right except by uninstalling the app.
              When for the camera, the GPS location or a contact there is a prompt to allow it explicitly.

              1 Reply Last reply Reply Quote 0
              • K Offline
                kugiigi
                last edited by 28 Mar 2024, 06:54

                Embedded webviews are probably the most dangerous since the dev can inject malicious stuffs. They can't do malicious things with your local data but they can with your online data and information πŸ˜…

                D 1 Reply Last reply 28 Mar 2024, 09:29 Reply Quote 0
                • D Offline
                  domubpkm @kugiigi
                  last edited by 28 Mar 2024, 09:29

                  @kugiigi The basis is therefore that Sapot and Morph are safe and we want to think that this is the case as we have confidence in developers.

                  K 1 Reply Last reply 29 Mar 2024, 15:51 Reply Quote 1
                  • K Offline
                    kugiigi @domubpkm
                    last edited by 29 Mar 2024, 15:51

                    @domubpkm That's the idea yes. I mean that's true in everything. We live in a trust-based society πŸ˜„

                    Speaking of, I think we also need OpenStore to require publishing apps straight from their public repo if they're open source. Because for example me, I'm lazy so I haven't setup to automatically publish builds from repo. I can technically build my apps with malicious codes and publish that without showing those codes in the public repo πŸ˜„

                    I A 2 Replies Last reply 29 Mar 2024, 16:18 Reply Quote 1
                    • I Offline
                      ikoz @kugiigi
                      last edited by 29 Mar 2024, 16:18

                      @kugiigi That is what Fdroid does, if I remember correctly. You submit an app via a pull request, a bot checks the source code and if everything is fine a person reviews the app and it is built on theirs servers from the git repo.

                      May the source be with you

                      1 Reply Last reply Reply Quote 1
                      • A Offline
                        arubislander @kugiigi
                        last edited by 29 Mar 2024, 17:16

                        @kugiigi closed source apps are currently allowed in the Open Store, as long as they are confined.

                        Of course it is now evident that apps accessing the network should be under more scrutiny. Too bad that is most apps nowadays.

                        πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
                        Happily running Ubuntu Touch
                        Google Pixel 3a (20.04 DEV)
                        JingPad (24.04 preview)
                        Meizu Pro 5 (16.04 DEV)

                        1 Reply Last reply Reply Quote 0
                        9 out of 10
                        • First post
                          9/10
                          Last post