Should unverified cryptocurrency apps be banned?

Hi all,

There’s unfortunately been a few instances in the past few months of people abusing the Snap Store to publish cryptocurrency snaps that steal your private keys and by extension money. I.E:

Followed by more recently:

One of the goals of snaps is to sandbox applications. The requirements for classic confinement and auto-connections exist to prevent abuse; but these technical measures cannot prevent against a user willingly giving up their crypto private keys in the context of a Crypto-wallet.

I’m sure that I don’t need to provide much in the way of my opinion given the thread title; I thought I’d try raise some discussion in the community about the specific class of Crypto-wallet snaps, and whether people feel similar to myself, in that they should not be permitted unless verified to be published by an upstream source that is itself trustworthy.

Enforcing this would be difficult, as it’s difficult to profile an application in an automated manner into a distinct class (I.E, automation will struggle to distinguish an Office Suite from a Crypto-Wallet). Leaving a few options

1. All snap name registration should be moderated to help identify and prohibit Cryto-wallet abuse.
2. All snaps should be denied public listings unless granted permission, leaving them stuck to either private or unlisted
3. Nothing should happen directly, but Cryptowallets that are not verified should be forced into private listing upon identification on a case-by-case basis and forced to private listing until reviewed.

These scale down from drastic measures to less drastic, although of course, then scale down from most effective to least effective.

I would personally at a minimum say we should be aiming to verify security critical apps as trustworthy, which Crypto-wallets by definition always are.

Facilitating this kind of abuse casts a blight on the Snap Store itself and by proxy the trustworthyness of the community. Everybody in the community who has contributed positively to build trust and engagement didn’t want to do so to benefit financial crime; but it’s reality that we must confront the situation as is rather than the ideal world we wish we were in.

To bring up a classic comic: https://xkcd.com/1200

If we cannot properly enforce this class of app to be safe via technical measures, I believe it stands to be enforced by policy measures.

In summary, I’m not outright against Crypto-wallets in their entireity. However I do believe that allowing this class of application on the store without verification goes contrary to one of our main goals of making snaps, and as such something needs to change before these events continue to happen.

I think they should be banned.

These kinds of scam apps are almost always for the purpose of funding foreign state actors doing terrible things. The whole “web 3” world is full of this kind of clownery, and quite frankley, I don’t think the industry has done anything good except accelerate the warming of our planet, tell the financially vulnerable to not trust regulated banks but some goober “effective altruist” on a private island, and enable sanctioned governments to evade the consequences of their actions. If you’re really that worried about what J.P. Morgan is going to do with the $42.37 dollars in your checking account, buy gold bars and stuff them under your mattress.

Any kind of application that requires plugging financial information information directly into it without linking out to a trusted website should be audited. Could likely just have a script that pulls up a list of recently registered snaps, and if one is indicated to require financial information from users, it should be audited by a security group. Open source is built on trust, but after repeated incidents, we cannot trust crypto applications, so they need to pay the price. If someone really wants to release a “trustworthy” crypto application, the onus should be on the individual to prove that they’re legit.

I think #2 and #3 are our best options here. #2 is similar to how Charmhub does it, where your charm needs to meet specific criteria before it is allowed to be publicly listed. It would at least hopefully cut down on the total amount of broken snaps that are available on the Store. #3 maintains the convenience of being able to quickly push out updates similar to a container registry, but then you put the effort directly on the moderation team, and you won’t be able to catch everything. #2 encourages snap authors to put more effort into their snaps, and overall improve the general quality of what’s offered in the store. It also rewards maintainers since it can be seen as an achievement to get a snap publicly listed.

Overall, I just want to see these dumb silly crypto wallets go away because they damage the integrity of the store, warm the planet, and give snaps, snap authors, and Ubuntu a bad name.

I agree with nuccitheboss that the Snap Store should completely ban cryptocurrency apps. I think it should be explicitly forbidden in the Snap Store Terms of Service.

Let’s go a step further and require strict manual approval for all finance-related apps.

I agree that cryptocurrency is largely a cesspit of ignoble intentions even if the mathematics are interesting.

I see our mission as trying to improve the safety of Linux for its users. Obviously Ubuntu is a significant share of those, but we should think more broadly - our goal should be that anybody using snaps from the official snap store on any distro should be safer than if they were getting that software from other hosting platforms. We are increasingly living in a dangerous world where one is almost certain to want to run software from untrusted sources, whether that’s downloaded and installed apps, or web page scripts on a website at a link you just clicked on.

While there are ultimately limits to what we can achieve, I think it’s fair to challenge ourselves to consider additional measures that raise the safety level even if they will never be perfect.

In the design of snaps and the snap store we have mainly focused on technical confinement - the idea of safety being limited to ‘blast radius on the system’. We’ve built the best way in the world, imo, to constrain which files an app can access, which APIs or kernel services or network locations it can use and by extension attack, or be a vector for an attack. Those are measures for technical resilience.

In this case, we need to think about social resilience - how to make running Linux safer for people who are themselves vulnerable to social engineering. This is a very hard problem but one I think we can and should engage in, otherwise we’re not helping a user to help themselves, even if ultimate responsibility does lie with those users.

I don’t however think that banning cryptocurrency apps helps. If anything, it would make using Linux much worse.

At least snaps have good, and over time increasingly good, mechanisms for technical confinement. Projects like Ubuntu and Debian and RHEL have relatively rigorous know-your-contributor processes, but apps can’t all be in the distro archives. The other Linux app distribution mechanisms (such as PPAs, Github builds and releases, OBS, or even the containerised ones like Flatpak) don’t have nearly the same technical measures for confinement that snaps do. If we ban cryptocurrency apps from the snap store then those users will simply get apps from those unconfined sources - and then the attacks will be even worse because the apps can go trawling all over the system, or do things like keylogging.

At least with snaps we have more measures to limit attacks to social engineering, or defects in the kernel and related confinement code. So as much as I would not put my own money into a crypto account, and would strongly recommend others to avoid them, I don’t think banning those sorts of apps from the snap store is helping Linux users, it’s just forcing them to be even more exposed when they use cryptocurrencies.

My colleagues have been fighting a quiet war with these malicious actors for the past few months, and are working to strengthen our hand on a number of fronts. They are working up a more formal statement and I won’t pre-empt it here, I just want to express the view that pushing our users to less-safe software distribution mechanisms isn’t helping them.

Thank you very much for raising this topic @James-Carroll.

We, the maintainers of the Snap Store, are very concerned about the recent incident with malicious crypto wallet apps published in the Snap Store, and we’re currently working hard to improve our preventive measures.

The Snap Store will be increasing its security posture by requiring higher-risk categories of snaps to have verified publishers. Crypto wallets will fall into this higher-risk category, and our verification process will verify a publisher is official. This change will take effect very soon.

This is the right approach indeed. And Mark Shuttleworth above is spot on that banning crypto wallets from store would only hurt Linux. Snaps are the tech to lean on here, too, due the confinement.

Hi all,

I think it’s worth bringing up this thread posted earlier today (Thanks Popey for pointing it out ); which discusses a more general approach on controlling snap uploads.

This ties in well with the discussion here, and in my opinion if the general upload process is modified I’d personally find it satisfactory for this discussion too, as Crypto-Wallets would be a subset of the universal set of snaps. My personal is similar to Marks in that outright banning something but encouraging them to go elsewhere isn’t a real win overall as its just shifting responsibility elsewhere (or potentially nowhere), but I still feel we need some controls, which the above thread goes into.

Of course, I’m happy for people to discuss Crypto in general, but thought the other thread was important contextually since for myself proposed changes to all snaps implicitly cover this particular subset of concern.

The latest event on this topic from @popey 's blog:

https://popey.com/blog/2024/03/exodus-wallet-part-three/

And it looks like there are more that have popped up since then:

image1272×701 108 KB

I can only imagine the difficulties of managing everything going on behind the scenes for such a huge platform…but I worry that there is a “perfect is the enemy of progress” situation going on here. The conceptually holistic and 100% accurate process for distinguishing legit from scam apps doesn’t need to exist in order for the most basic checks to be in place.

Some of those could be filtering/moderation, like holding back new app submissions for manual review if they hit a list of “likely targeted for scams” words, and some could be security through transparency, such as exposing more developer/publisher information (like a verified email address) so users can make more informed judgment calls.

Right now, with such limited information available to a user via the Snap Store (web or app), there is little that community users can do to make good decisions themselves about what is safe to install from the store, and maintaining filtering/moderation within Canonical seems to be a struggle to implement…without either of those, IMO it’s tough to be an advocate for the platform in the desktop/app store context.

As an update, we should be expecting some new policies regarding Crypto specifically shortly.