I am not a member of the Anti-Snap crowd (although of course the server sources should be open source), but there is obviously a lot to improve. Flathub/Flatpak should also take note!

  • GravitySpoiled@lemmy.ml
    link
    fedilink
    English
    arrow-up
    14
    arrow-down
    1
    ·
    edit-2
    9 months ago

    Real tldr: someone downloaded a fake app and was scamed and here are the author’s recommendations:

    • Mandate & verify that all published applications using financial and/or cryptocurrency branding are officially published directly by the upstream developers
    • Change the store so all initial Snapcraft store name registrations are gated behind human review
    • Gate the first month of a new snap uploads behind human review
    • Block all interface connection requests behind a human review, including automatically connected ones like network and home
    • Fully staff the team doing the above to respond to registration, interface connection and upload requests in a timely fashion
    • Send out a clean snap update (as we did in 2018) to all clients that have the scam snaps still installed
    • Publishers should have their ’newness’ on the platform highlighted with a ‘New Publisher’ badge
    • Snaps that are less than $M (2?) months old should have a ‘New Application’ badge
    • Snaps that have fewer than $N (50?) installs should not appear in search results
    • The store should make prominent notes to users that newly published snaps and snaps from new publishers should be viewed with extreme caution
    • Provide better education to users on the risks of installing finance and cryptocurrency software from the Snap store
    • Review and update all wording in graphical and web software store-fronts to ensure users aren’t given a false impression that malware is ‘safe’

    Me: What are your recommendations, dear lemmy users? I bet you can come up with much better recommendations

    • acockworkorange@mander.xyz
      link
      fedilink
      arrow-up
      5
      arrow-down
      1
      ·
      9 months ago

      The idea of a package maintainer that is vetted by the distribution channel comes to mind. That’s the model that has worked with most distros so far. I don’t see why it wouldn’t work here.

    • ShittyBeatlesFCPres@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      9 months ago

      I like the recommendations but I would also just ban cryptocurrency wallets from the app stores (and traditional finance apps capable of transferring funds electronically). There’s not much you can do to stop scams in that space but if the devs distribute their own apps, at least the user can verify they’re at the original developer’s site or repo or whatever and possibly hold them accountable.

      That probably won’t help on the scams — people in the crypto world get scammed more than aging grandparents, it seems. But I don’t want Canonical or Flathub to be held liable due to a lack of moderation resources. If they can ever automate moderation to the degree it’s safe, bring back the finance app category with some safeguards.

  • guttermonk@lemmy.ml
    link
    fedilink
    arrow-up
    3
    ·
    9 months ago

    I don’t recommend downloading from unofficial distrobution channels without verifying a hash. That said, why doesn’t Exodus give Linux users a PPA? Mac and Windows both have auto updates for the Exodus wallet.