Malicious apps


#1

Hey Blockstack!

After being introduced to this technology at TreeHacks I’ve reflected on it and came across a question:

How are malicious apps detected and managed?

For example, say we have a messaging application. What prevents the app from sending a message directed from Alice to Bob to–say, Eve? Surely if the code was open-sourced, it could be audited–but I don’t believe open-sourced projects are mandated by Blockstack.

Thanks!


#2

Blockstack applications are realized as Web applications, so anything a Web app can do, a Blockstack app can do.

New Internet Labs – a Blockstack-based start-up – is working on a Blockstack-specific Web browser that mitigates some of this, such as preventing data exfiltration and stopping apps from running 3rd party code. However, because Javascript itself is a Turing-complete language, there’s no universal way to prevent an app from doing something like incorrectly encrypting your data (or encrypting it to the wrong person). The best we could do for these kinds of malicious apps is de-list them from app.co and maintain a list of known-bad applications that can be used to warn the user not to use them.


#3

@jude, maybe we are all looking at this wrong, Its not about the app its about the creator(s) of the app. Maybe an app developer(s)/Company is vetted in the app submission process?.? Kind of like vote.blockstack.org but on the individual?.?.?

If i was putting together a team to develop/fork dApps for my clients, I would need to be able to trust developer/code. Especially with Healthcare apps or apps that monitor whereabouts of car or individual.

My worries today is, the criteria of an app is based on if you keep the data only in your own bucket. I own a healthcare app today that in the future, I would like to connect to blockstack and it needs to work as described below

  1. Dr logins (with a blockstack.id)

  2. A doctor scans the persons foot, a 3d object is created, then they fill out a form for that particular client.

  3. In the future, I would like to have patient login (with a blockstack.id) and when the data is saved it would be sent to 2 buckets

  • The doctors office bucket and the patients bucket.

Would that weight the system differently? Thanks again for your knowledge


#4

No, I don’t think we would ever penalize you for storing data in multiple Gaia buckets. That is a valid use case.


#5

Thanks Hank.