Is there any protection against typosquatting on the Snap Store?

Typosquatting package names has been a problem in the past (and still is) for some package management systems, and I’m wondering whether anyone has any further insight into how the Snap Store is affected by this?

For example, is there anything stopping somebody from publishing a package called chronium or fierfox, and waiting for people to mistype the real package names?

With other systems such as the official Ubuntu repositories, mistyping a package name is extremely unlikely to do anything destructive to your system, whereas with Snap, I currently don’t feel this confidence.

Is there any manual approval process for registered names, before the package can be published? How quickly would a typosquatted package name be spotted and taken down?

Thanks for your help,
Jamie

1 Like

In short, yes - and no.

The store team pre-registered a set of common application names - seeded with a list taken from the Ubuntu archive and other places. If you try and register those applications, you’ll get a message indicating as such. here’s a test i just did to try and register gnome-terminal.

alan@KinkPad-K450:~$ snapcraft register gnome-terminal

We always want to ensure that users get the software they expect
for a particular name.

If needed, we will rename snaps to ensure that a particular name
reflects the software most widely expected by our community.

For example, most people would expect ‘thunderbird’ to be published by
Mozilla. They would also expect to be able to get other snaps of
Thunderbird as 'thunderbird-$username'.

Would you say that MOST users will expect 'gnome-terminal' to come from
you, and be the software you intend to publish there? [y/N]: y
Registering gnome-terminal.
The name 'gnome-terminal' is reserved.

If you are the publisher most users expect for 'gnome-terminal' then please claim the name at 'https://dashboard.snapcraft.io/register-snap/?name=gnome-terminal'

Otherwise, please register another name.

So, as you can see, the name is pre-registered so we broadly don’t have the problem you’re indicating. The dispute process requires a conversation between the store review team and the developer. We do the necessary due diligence before approving a name registration.

The system isn’t perfect of course. The name gnometerminal could be registered, or some other typo or creative name. Or indeed I could register gnome-terminal-popey.

As GNOME Terminal is an open source application, it would be perfectly within the license for me to publish such an application. However, if a bad actor did that, and attempted to mislead users, the store team would be within their rights under the store terms and conditions to remove it.

We’re very keen to not have misleading or inappropriate content in the store, so will contact developers if we believe their application isn’t following the guidelines. We’ve removed a few applications in the past before, but we always try to enter into a dialog, rather than arbitrarily removing software. The only exception is where we see potential harm to the platform or user systems, in which case we act first - making the application inaccessible for downloads - and contact the developer soon after.

I hope that answers your questions, happy to answer more, or ask the store team for more details.

2 Likes

Thanks for the in-depth response, I really appreciate your time to write it.

One small suggestion of mine is that perhaps the trust model around Snap package names could be more widely documented/explained? For example, could your explanation about reserved package names and the malicious package takedown procedure be documented here, or whichever other more appropriate page?

2 Likes

I agree something brief could be put there. I don’t think we want to be overly verbose about it, because it’s the exception rather than the rule, that you have to go through the dispute process.
@degville might have other opinions.

1 Like

I agree - I’ll add something brief and explanatory to that page to reassure people that we take naming and associated security issues seriously. Thanks for bringing this up, @jamieweb!

1 Like