Canonical finally comments on Ubuntu Linux Snap Store security failure
Over the weekend, we reported on an Ubuntu Snap Store app that had a hidden cryptocurrency miner. This was a disappointing discovery, as users' machines were being hijacked to earn money for the developer.
With that said, it wasn't necessarily malware, as it did not cause harm to the computer, nor did it steal data or install a backdoor. Nevertheless, Canonical pulled the offending app and the developer's other submissions. The apps will eventually be re-listed without the mining code. Today, the company breaks its silence, finally commenting officially on this fiasco.
The big question is whether or not this is really malware. Canonical also pondered this and says the following.
The first question worth asking, in this case, is whether the publisher was in fact doing anything wrong, considering that mining cryptocurrency is not illegal or unethical by itself.
That perspective was indeed taken by the publisher in question here, who informed us that the goal was to monetize software published under licenses that allow it, unaware of the social or technical consequences. The publisher offered to stop doing that once contacted.
Of course, it is misleading if there is no indication of the secondary purpose of the application. That’s in fact why the application was taken down in the store. There are no rules against mining cryptocurrencies, but misleading users is a problem.
Unfortunately, Canonical concedes that it simply doesn't have the resources to review all code submitted to the Snap Store. Instead, it puts the onus on the user to do their due diligence by investigating the developer before deciding to trust them.
One of the most challenging aspects of running a modern software repository is just making sure that the published software is indeed only doing what it’s supposed to. In the classic Ubuntu repositories, we have the great privilege to work only with software built on trusted infrastructure, from source. That has obvious advantages but also requires a very long time for new bits to show up for millions of users. Snaps enable a much more direct path for publishers to deliver their software to users across a wide range of Linux distributions, ensuring that those apps are securely confined.
App Stores for iOS, Android and Windows follow some standard patterns for quality and security control – automated checkpoints that packages must go through before they are accepted, and manual reviews by a human when specific issues are flagged. The Snap Store implements both of these patterns.
Even then, the inherent complexity of software means it’s impossible for a large scale repository to only accept software after every individual file has been reviewed in detail. That’s true whether source code is available or not as no institution can afford to review hundreds of thousands of incoming source code lines every single day. Because of that, the most successful trust model is based on the origin of the software, not its content. In other words, trust the publisher rather than the application itself.
It’s also particularly useful to be able to say more accurately what we are trusting the software with. It’s better to say “we trust Pauline’s software to access the camera” than to have a binary view of trust. The technology implemented in snap packages is a major step in the right direction as it allows that trust to be defined with very high levels of granularity, using modern Linux kernel security capabilities. It allows answering questions such as whether the snap wants access to a web camera, or has the ability to access files in the home directory, for example, and also allows having an opinion about it, for instance revoking that access, and many other sensible variants of that. But even then, the concept of trust is still present and important.
Imagine, for example, that someone installs a web browser published by an unknown party. Even if the only thing that this web browser has access to is its own storage space, the display, and the network, it remains that all of the data flowing through that browser is at stake. There’s no way around trusting the publisher to be honest and careful before using it.
But the company is not just wiping its hands of the situation and telling users to proceed at their own risk. Actually, it does have future plans to harden the Snap Store.
Several years ago when we started the work on snap packages, we understood that we could not instantly implement an alternative that was completely safe from all perspectives. In addition to being safe, it had to be useful. So the challenge we gave ourselves was to significantly improve the situation immediately, and then pave the road for incremental improvements that could be rolled out gradually.
Our roadmap continues to reflect these choices: we have very interesting security features in the works that will improve the safety of the system and also the experience of people handling software deployments in servers and desktops.
As just one example that is relevant in the context of this event, a simple but fairly effective feature that we are working on is the ability to flag specific publishers as verified. The details of that will be announced soon, but the basic idea is that it’ll be easier for users to identify that the person or organization publishing the snap are who they claim to be. The need for trust still remains but it will help users inform their decision further before installing.
Other features are more gradual and less visible, such as the regular encoding of new interfaces that allow mediating other aspects of the system, or the upstreaming of all the AppArmor kernel patches, allowing more Linux distributions to benefit from additional confinement capabilities.
Some folks may say Canonical isn't doing enough, but I would argue that the Ubuntu-maker is simply doing the best it can given its limited resources. Look, the company doesn't have Apple, Google, or Microsoft money, and even if Canonical had unlimited funds, it would still be impossible to catch 100 percent of nefarious apps. In other words, this isn't the last time such a discovery will be made in the Snap Store -- or any other app store for that matter.