Linux expert Matthew Garrett: Ubuntu 16.04's new Snap format is a security risk

Ubuntu's supposedly secure app package format doesn't do much to improve security on the desktop, according to a well-known Linux kernel developer.
Written by Liam Tung, Contributing Writer

Matthew Garrett: "As long as Ubuntu desktop still uses X11, the Snap format provides you with very little meaningful security."

Image: ZDNet

The new Snap app package format is a headline feature of the new Ubuntu 16.04, touted by Canonical as a secure way of developing software that makes it impossible for an app to steal your data.

"The security mechanisms in Snap packages allow us to open up the platform for much faster iteration across all our flavours as Snap applications are isolated from the rest of the system," Olli Ries, head of Canonical's Ubuntu client platform products and releases wrote earlier this month.

"Users can install a Snap without having to worry whether it will have an impact on their other apps or their system," he continued.

But that claim is only half true, according to Matthew Garrett, a well-known Linux kernel developer and security developer at CoreOS.

He contends that using Snap packages on Ubuntu mobile does offer genuine security improvements, but on the desktop that claim is "horribly, awfully misleading".

"Any Snap package you install is completely capable of copying all your private data to wherever it wants with very little difficulty," wrote Garrett.

To prove his point, he built a proof-of-concept attack package in Snap, which first shows an "adorable" teddy bear and then logs keystrokes from Firefox and could be used to steal private SSH keys. The PoC actually injects a harmless command, but could be tweaked to include a cURL session to steal SSH keys.

Garrett says the key reason Snap offers little security on Ubuntu desktop is that it uses the X11 window system.

"X has no real concept of different levels of application trust. Any application can register to receive keystrokes from any other application. Any application can inject fake key events into the input stream. An application that is otherwise confined by strong security policies can simply type into another window," he wrote.

"An application that has no access to any of your private data can wait until your session is idle, open an unconfined terminal and then use cURL to send your data to a remote site.

"As long as Ubuntu desktop still uses X11, the Snap format provides you with very little meaningful security."

Editorial standards