Going forward, all newly registered apps on the Snap Store will be manually reviewed by Canonical’s engineering teams – and furthermore, the developers of these apps will have to accept a background check and be doxxed if they want their apps to be available on the repository.
The news was confirmed by Holly Hall, product leader at Canonical, the company that provides commercial support and services for Ubuntu and related projects.
The Snap Store is an app repository of containerized Snap apps for the Linux distribution of Ubuntu. Apparently, this store was under a constant barrage of malicious apps, mainly fake cryptocurrency wallets. Since a few people suffered major financial problems due to falling prey to these apps, Canonical decided to take a radical step of manually reviewing incoming apps.
Misleading and too flexible
According to Ars Technica, former Canonical and Ubuntu employee Alan Pope recently described an incident in which a person lost 9 bitcoins (currently over $600,000). They were looking for the Exodus Wallet, a well-known and popular cryptocurrency wallet, available for various platforms. They found one in the Snap Store, but unfortunately it was a fake.
Once they entered their 12-word recovery phrase into the wallet, the money was transferred to another address and thus disappeared forever. While the cryptocurrency industry is marred by fraudsters and inherently risky, there are things Canonical could do to limit the risk, Pope argues. For example, writing, packaging, and uploading the Snap to the Ubuntu store results in an app that is “instantly searchable and available for anyone, virtually anywhere, to download, install, and run. No people in the circle.”
Additionally, Ubuntu’s App Center, where desktop users can browse the Snap Store, has labeled the app as “Secure.” This “safe” checkmark referred to something completely different, but it’s easy to see how some people might have been misled, Pope added.
As a result, engineering teams will now review apps and contact publishers. Anyone whose name is “suspected to be malicious or related to crypto wallets” will be rejected. Canonical is said to be drafting a policy on creating and publishing crypto wallets.