Edit: There’s a short follow-up to this post: Exodus Bitcoin Wallet: Follow up. tl;dr: A Bitcoin investor was recently scammed out of 9 Bitcoin (worth around $490K) in a fake “Exodus wallet” desktop application for Linux, published in the Canonical Snap Store. This isn’t the first time, and if nothing changes, it likely won’t be the last. This post turned out longer than I expected. So if you don’t have the time there’s a briefer summary at the bottom under “In summary (the tl;dr)” along with my suggestions on what Canonical should do now.

I am not a member of the Anti-Snap crowd (although of course the server sources should be open source), but there is obviously a lot to improve. Flathub/Flatpak should also take note!

  • @[email protected]English
    153 months ago

    Real tldr: someone downloaded a fake app and was scamed and here are the author’s recommendations:

    • Mandate & verify that all published applications using financial and/or cryptocurrency branding are officially published directly by the upstream developers
    • Change the store so all initial Snapcraft store name registrations are gated behind human review
    • Gate the first month of a new snap uploads behind human review
    • Block all interface connection requests behind a human review, including automatically connected ones like network and home
    • Fully staff the team doing the above to respond to registration, interface connection and upload requests in a timely fashion
    • Send out a clean snap update (as we did in 2018) to all clients that have the scam snaps still installed
    • Publishers should have their ’newness’ on the platform highlighted with a ‘New Publisher’ badge
    • Snaps that are less than $M (2?) months old should have a ‘New Application’ badge
    • Snaps that have fewer than $N (50?) installs should not appear in search results
    • The store should make prominent notes to users that newly published snaps and snaps from new publishers should be viewed with extreme caution
    • Provide better education to users on the risks of installing finance and cryptocurrency software from the Snap store
    • Review and update all wording in graphical and web software store-fronts to ensure users aren’t given a false impression that malware is ‘safe’

    Me: What are your recommendations, dear lemmy users? I bet you can come up with much better recommendations

    • @[email protected]
      63 months ago

      App Store moderation (because this is what we’re talking about) is a hard and labor intensive problem. I’m not sure it can be done well enough at scale for free without introducing easily gained mechanics.

      That said, this seems just a list of ways to blame someone else for messing up and getting scammed.

    • @[email protected]
      53 months ago

      The idea of a package maintainer that is vetted by the distribution channel comes to mind. That’s the model that has worked with most distros so far. I don’t see why it wouldn’t work here.

    • @[email protected]English
      13 months ago

      I like the recommendations but I would also just ban cryptocurrency wallets from the app stores (and traditional finance apps capable of transferring funds electronically). There’s not much you can do to stop scams in that space but if the devs distribute their own apps, at least the user can verify they’re at the original developer’s site or repo or whatever and possibly hold them accountable.

      That probably won’t help on the scams — people in the crypto world get scammed more than aging grandparents, it seems. But I don’t want Canonical or Flathub to be held liable due to a lack of moderation resources. If they can ever automate moderation to the degree it’s safe, bring back the finance app category with some safeguards.

  • guttermonk
    33 months ago

    I don’t recommend downloading from unofficial distrobution channels without verifying a hash. That said, why doesn’t Exodus give Linux users a PPA? Mac and Windows both have auto updates for the Exodus wallet.