Going forward, all newly registered apps on the Snap Store will be manually reviewed by the Canonical engineering teams – and furthermore, the developers of these apps will have to accept a background check and will be doxxed if they want their apps to be available on the repository.
The news was confirmed by Holly Hall, product lead at Canonical, the company that offers commercial support and services for Ubuntu and related projects.
The Snap Store is an app repository holding containerized Snap apps for Ubuntu’s Linux distribution. Apparently, this store was under a constant barrage of malicious apps, mostly fake cryptocurrency wallets. With a few people suffering major financial distress as a result of falling prey to these apps, Canonical decided for a radical move of manually reviewing any incoming apps.
Misleading and too flexible
According to Ars Technica, a former Canonical and Ubuntu staffer Alan Pope recently described an incident in which a person lost 9 bitcoins (more than $600,000 right now). They were looking for the Exodus Wallet, a known and popular cryptocurrency wallet, available for different platforms. They found one on the Snap Store but unfortunately, it was a fake.
As soon as they entered their 12-word recovery phrase into the wallet, the funds were transferred to a different address and thus gone forever. While the cryptocurrency industry is marred with fraudsters, and inherently risky, there are things Canonical could do to limit the risk, Pope argues. For example, writing, packaging, and uploading the Snap to Ubuntu’s store results in an app that is “immediately searchable and available for anyone, almost anywhere to download, install and run. No humans in the loop.”
What’s more, Ubuntu’s App Center, where desktop users can browse the Snap Store, tagged the app as “Safe”. This “safe” checkmark was referring to an entirely different thing, but it’s easy to see how some people might have been misled, Pope added.
As a result, engineering teams will now review apps and reach out to publishers. Anyone whose name is “suspected as being malicious or is crypto-wallet-related” will be rejected. Canonical is said to be drafting a policy on creating and publishing crypto wallets.