Diolinux

About malware found in the Ubuntu Snap Store

Diolinux

This week we had the news that there was a game inside Canonical’s Snap Store that had cryptocurrency mining properties. Something that turned on the alerts from the Linux community, let’s discuss about it.

As our friends from OMG! Ubuntu made a beautiful article about what happened, I will reserve to debate and raise some topics related to what happened.

As a bit of context is interesting for you to understand what happened, the reason for the fanfare is that a developer has successfully submitted to the Snap Store a game that has an MIT license called “2048”, a very popular game even, which because of its license allows for redistribution with proprietary software included. The problem is that this software, in addition to actually running the game, allocated machine resources to mine cryptocurrencies, without this activity being described in the store.

A problem not exactly Snap

I think my point of debate lies here. A failure like this caused many «experts» out there to condemn packages like Snap, Flatpak and AppImage, saying that they are «a danger» to computers …

Security problems are inevitable on any platform, even using Linux it is important to be concerned with basic online security routines, especially nowadays, where more and more distros are being used by people with less or no technical knowledge.

The problem that occurred with this Snap could have occurred in any other way, Flatpak, AppImage, a .deb package, a script, etc., that is, the format itself is not to blame, as many point out, but the security system in around him, this one that should be improved ever.

Just like on Android or even on iOS, the intention of Google and Apple, respectively, is to never have software in the app stores that can harm users, yet something goes unnoticed eventually.

Application security analysis systems like Snaps are usually automated, and this process can eventually fail, this is natural and even expected, even if it is undesirable.

At these times, as Linus Torvalds says:Sometimes the speed of fixing the problem is more important than avoiding it“.

Once the problem was identified and proven, Canonical took down the Application that was causing it, that is, the correction was effective. As in the Linux Kernel, when a problem is discovered it is important that the solution is quick and efficient, since guessing where the attack might come from is almost literally “predicting the future”, so it is always important to reinforce the routines of verification and security to avoid any further implications in the future, learning from failures.

Even if problems like that can happen, the Snap and Flatpak (and AppImage) formats ended up fostering a new market that always had difficulty offering software for Linux distributions and ended up enabling companies that previously did not release software for the penguin platform to do so now. We cannot forget that security problems in Linux have always existed and will always exist, even if they are much smaller and fixed (usually) with great speed. Before Snaps and Flatpaks became more popular, security issues involving Linux already existed.

What changes with the arrival of these formats and that now every day more developers and companies are making software for the platform and with the plurality also comes the possibility of malicious people appearing in this medium.

The point is that proprietary software cannot have its code verified and although we always think that the ideal is to use open source, a large part of the market holds its greatest value in the software itself and not in the service offered (when there is a service) , Snap packages have allowed companies to place their proprietary software for the first time in the Linux world and for all distros at the same time, offering more options for people, a small step towards the “Open Source” side of being, but undeniably something positive for the market.

The problem with Ubuntu not requiring a login to install Snaps (or any other distro) is that it makes it difficult to know how many people have actually downloaded this malicious App. On systems like Android, when an App is considered dangerous, Google can remove it from Smartphones automatically, or send a message to the user. This possibility does not yet exist on Linux desktops, largely because of privacy concerns.

I could say that one of the simplest ways to avoid all these problems is to use 100% free software with software coming only from the curated distro repository, but since the world is not made up of like-minded people and there will always be people who think it is best for the business or product they develop to use proprietary licenses (and they have a right to do so), distros need to adapt to that kind of thing, the technology is made up of a mix of types of software and hardly ever will there be any hegemony, on one side or the other.