← Back to team overview

ubuntu-phone team mailing list archive

Re: How do I know an app is safe to install?

 

On Tue, Oct 15, 2013 at 9:16 AM, Michael Zanetti <
michael.zanetti@xxxxxxxxxxxxx> wrote:

> Hi,
>
> On Monday 14 October 2013 18:09:14 David Planella wrote:
> > In addition to all what Dave is saying, if you want to know more about
> this
> > app, including links to the source code:
> >
> > http://notyetthere.org/?p=351
>
> Actually I share Jeremy's concerns. And I think neither of Daniel's and
> David's or Dave's comments are really addressing this issue:
>
> * Dave: yes, the app passed the security checks. But given that the
> security
> checks only deal with the binary blob it is debatable how useful those
> checks
> are. IMHO they aren't useful at all in regard to security. I could sneak in
> code that starts sending all your logins to myself and no one would notice
> it,
> I bet.
>
> * David: There are no relations to the source code and the uploaded binary
> package. In this case all I can do is to give you my word that I won't do
> any
> bad things. But in theory I could publish some source code and build the
> binary out of some different code. You wouldn't notice for sure. Btw.
> because
> of the missing trusted relationship between the uploaded binary and source
> packages I didn't bother to upload the source package to the store.
>
> * Daniel: Yes, it is confined in AppArmor but note that it has the
> networking
> capability (mainly because it's enabled by default and I forgot to remove
> it -
> will be gone in the next update). So even though this app might not be
> able to
> steal your address book, I could still send out your Ubuntu SSO credentials
> over the network once you set it up.
>
>
> Jeremey, one thing you can do, is to install the app called "Permy". It
> shows
> you who made the app and which AppArmor permissions it has. Unfortunately
> that's all we can do so far. There is no way to be sure what's in the app's
> binary right now.
>

I am guessing that this is the biggest reason why apps were supposed to be
qml only at the beginning. Or the thought that all of them should be qml
only would avoid this issue. We are on a different path these days from the
looks of it.


> That said, unfortunately this is how all the other mobile app stores work
> too,
> and basically how 95% of all software on Windows and Mac is distributed. I
> don't want to use that as an excuse but thing is, this is what the market
> demands right now. App Developers don't want to publish their code and the
> vast majority of users doesn't seem to care about anything security at all
> anyways. It's a sad situation for people like us who actually DO care about
> security.
>
> However, I haven't given up hope that at some point someone will set up
> some
> App Repository for Ubuntu Touch which requires developers to upload a
> source
> package, the binary will be built on the trusted server and the exact same
> source archive published along with the binary. But when this happens, I'm
> sure it will only hold the geeky FOSS apps. For me personally that would be
> enough as I tend to write all the apps I use myself anyways :P Would be
> awesome to have a way to publish them in a trusted way to my "customers".
>

Today all the com.ubuntu.[appnames] are built on jenkins, you can freely
check the code. I don't think it would be too hard to circle around the
upload new source -> get new click. I do want to avoid rebuilding debian
package builds though.

Follow ups

References