ubuntu-appstore-developers team mailing list archive

Thread
Date

Re: "Bad" apps

To: ubuntu-appstore-developers@xxxxxxxxxxxxxxxxxxx
From: Michael Hall <mhall119@xxxxxxxxxx>
Date: Mon, 07 Jul 2014 11:51:13 -0400
In-reply-to: <20140707163921.70e9de14@boromir>
Organization: Ubuntu
Reply-to: mhall119@xxxxxxxxxx
Sender: mhall119 <mhall119@xxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.6.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


On 07/07/2014 11:39 AM, Dave Morley wrote:
> On Mon, 7 Jul 2014 11:22:01 -0400 Rick Spencer
> <rick.spencer@xxxxxxxxxxxxx> wrote:
> 
>> On Mon, Jul 7, 2014 at 7:31 AM, Alan Pope
>> <alan.pope@xxxxxxxxxxxxx> wrote:
>> 
>>> We have had a few new "apps" uploaded to the click store which
>>> I have concerns about.
>>> 
>> ....
>> 
>>> 
>>> Here's some links for context.
>>> 
>>> https://myapps.developer.ubuntu.com/dev/click-apps/881/ 
>>> https://myapps.developer.ubuntu.com/dev/click-apps/859/ 
>>> https://myapps.developer.ubuntu.com/dev/click-apps/880/
>>> 
>>> The one (from the same user) which troubles me more is this
>>> one:-
>>> 
>>> https://myapps.developer.ubuntu.com/dev/click-apps/905/ - 
>>> "Antivirus"
>>> 
>>> This app does _nothing_. The entire content of the app is one
>>> html page which says it's WIP.
>>> https://pastebin.canonical.com/113043/ . Putting an "AV" app in
>>> the store sets a bad example early on. "Why do they need an AV
>>> system, I thought their security policy made apps secure?".
>>> 
>> 
>> To be honest, an AV app that does nothing could be construed as 
>> malicious, in my opinion.
>> 
>> Cheers, Rick
> 
> Is there a way we can do a check that the support url actually
> shows a webpage or actually exists and reject the app if it
> doesn't?  Looking at his it is a non-existent page.
> 
> 
> 

It would probably require a firewall rule change to allow MyApps to
make an out-bound HTTP request, and IS might have concerns about that
from the security perspective, but technically it would be easy.

Michael Hall
mhall119@xxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTusBoAAoJEInUYcGJgfVy7g4P/jGinTuyUPcE5pFgEVes2yzS
0IxUyrgyqpn+IO3CI+LDgYZtTL9F3bh1474AM1ut+/B9b0ZTYpIGJNQbmYDGBAj2
tYdyhvuYU61+SFeCUvvEUz2+FB53Yh8lq8MLZA+qY6AfA6nlHFIyjvUaOrbn6wgE
O1Jd6x4ZxigJHZ7w50p5vVUjH/tWu9D4DbNWhSCJV4HJNH/XRGp13wWQVrTl2TXe
i9tOlwTo8nOgfot5AASpYOvMnS9XACL2tKuxiLmwT5YAJndjsAPm7pKzx1JCS8cm
KNHsY9s8Tv5bEQ/rfi9B7b7WPqWTbCrWCkqg9B08Ib3sf88JaTpVy56KAZrw9S2K
6Baa6UNVDNa7nYuZBap0fGWarscWPLuWMt2b0NEVSLZUIbA6AJe7Y/S6Z4wVhpaY
VOkhTMt65wArGLSU9KSoMorcotoQJN6e5WjwylJSG2SxE3n2IbbR4no0wg/rjN0u
42eqWy7rCYVcRK/8RwcwvtWZNy9+NlFOcx1tE5homxNV1lugSdFuaYIZhp6nMBNj
XuHZU7wNOpsb6I1uWRE7kPF+nm97q9zLkMY0PyrU8c4lLUk+tYSeI+R9coT1gVmG
YqzF18j5lfhiiUBQlMZEgcR6GKsOy14kXsNGrMaYgCHjtg6T7aK8enHDAnNNviQB
99/TscvREJjAq37woZbO
=wUS8
-----END PGP SIGNATURE-----

References

"Bad" apps
From: Alan Pope, 2014-07-07
Re: "Bad" apps
From: Rick Spencer, 2014-07-07
Re: "Bad" apps
From: Dave Morley, 2014-07-07