The new Ubuntu 16.04 released recently with the much touted and hyped Snap app package format. Canonical has projected this package format as an extremely secure platform for the developers to develop various software without having any risk or fear of data getting stolen.
Olli Ries, head of Canonical’s Ubuntu client platform products and releases earlier wrote, “The security mechanisms in Snap packages allow us to open up the platform for much faster iteration across all our flavours as Snap applications are isolated from the rest of the system, users can install a Snap without having to worry whether it will have an impact on their other apps or their system.”
But serious aspersions have been cast on these claims by Matthew Garrett. We would have taken this lightly, had this not come from such a well-known Linux kernel developer. Garrett is currently a security developer at CoreOS and his claims indeed deserves some attention.
Mr. Garrett has contended that Ries’ claims are only half-true as although the snap package on the Ubuntu mobile indeed brings security improvements, but the same cannot be said about the desktop. According to him, such claim about the desktop is “horribly, awfully misleading”.
Garrett wrote, “Any Snap package you install is completely capable of copying all your private data to wherever it wants with very little difficulty.”
Garrett not only claimed but even went to the extent of proving his point by building a proof-of-concept attack package in Snap. This initially shows a cute teddy bear which then logs in the keystrokes from Firefox which can be used for stealing private SSH keys. The PoC although contains a harmless command, but it can be tweaked to include a cURL session for stealing SSH keys.
According to Garrett, the main reason behind this security flaw is the use of X11 window system on Ubuntu desktop.
He further wrote, “X has no real concept of different levels of application trust. Any application can register to receive keystrokes from any other application. Any application can inject fake key events into the input stream. An application that is otherwise confined by strong security policies can simply type into another window. An application that has no access to any of your private data can wait until your session is idle, open an unconfined terminal and then use cURL to send your data to a remote site. As long as Ubuntu desktop still uses X11, the Snap format provides you with very little meaningful security.”
Stay tuned for more news and updates and do leave your comments below.