Maidsafe Web App Store

store

#1

Are there plans for an official Maidsafe web application store? Something like addons.mozilla.org where Safe Network App authors can have a web presence to promote their Apps on the existing internet.This is in addition to the Safe Network facing App Store where only existing Safe Network users can see it.

With the new Draft Investigatory Powers Bill under pressure to be fast-tracked and other anti encryption rhetoric being bandied about by other world leaders, it may be increasingly difficult and risky for individuals to sustain a web presence for their Safe Network Apps, even if hosting outside the UK or similar encryption hostile regime. Of course the Safe Network web app store would probably just become more banned reading material but hey.


#2

I like the idea of a web app store. I wouldn´t even mind if it was curated by Maidsafe, I just don´t think they´re going to do it, because @dirvine expressed repeatedly that they want Maidsafe to become “just another” group of app creators on SAFE. However, if SAFE succeeds in a way, people can and will create hubs for apps and time will show which hub becomes the dominant source of applications.


#3

I am not sure what this actually means?

Most people will not be on Safe at the start and as an app author or user you want to hand people an URL to whatever App the person your talking to might find interesting. The problem with unofficial hubs for apps is the same problem addons.mozilla.org was setup to resolve: a semi-official list of apps where new users can be reasonably sure they are not being served up malware. I suspect not setting up an official Maidsafe foundation web Safe App store, even if it is mainly community run and organised, would be a security mistake. Nothing could kill Safe Networks reputation faster than malware being served up by a minefield of shady Safe App hubs with unknown backers, preying on new users. If an adversary cannot attack Safe Network directly, they will attack it indirectly - and no official Safe App web presence makes for a pretty big easy attack vector opportunity.


#4

In terms of a SAFE Network facing app store, @Viv actually answered that question just a few hours ago in a developer chat room. Let me copy paste his answer.

nothing set in stone here. preference is when network shares functionality is available then portable apps can be hosted self contained in the network and can then be distributed in a decentralised manner with public reviews/ratings influencing the apps. What we’re not after is MaidSafe becoming the controller of all apps in the network as that becomes the single point of failure then. Also ends up making a key-chain/authenticator sorta app into a marketplace for all which motivates more versions of the keychain app for just merely forking the app distribution parts. Its certainly an interesting topic thats been discussed a few times, prolly best to have that discussion in the forum though as its something lot more people would have a direct opinion in

In terms of having a web app store, I think it’s certainly a good idea. I was actually considering setting up a good-looking static site at apps.safenetwork.org where people could make pull requests to add their apps. Or maybe an even better idea would be to use Telescope and make a site where anyone can submit their apps, vote on other apps, filter by category, search for keywords, etc. Imagine something like screenings.io (which is a site that uses Telescope) but for apps instead of videos.


#5

Interesting. However making an apps.maidsafe.org does not mean your a central point of failure, only that your one of the more reputable hubs around and can probably be trusted by new users.

If I was a Safe Network adversary with moderately deep pockets (state backed/crime group or otherwise) I could just hire some top web developers, setup the most sexy App hub in town, amp up the marketing to promote it over existing hubs then sit back and serve up Safe Network compromising versions of Apps, enjoy network effect as new users recommend my site. However if apps.maidsafe.org is the go-to place then my job is much harder.

If Safe Network reaches its potential this would be most likely to happen, not just some hypothetical.

Maidsafe could setup the apps.maidsafe.org domain and pick top community member’s similar to how this forum is run to help curate and patrol it for malware… it does not have to be a big burden, certainly does not make it a central point of failure and raises the bar significantly for malware creators that will target Safe.


#6

I agree with you, however, I have doubts that Maidsafe is going to do that. You can only be reasonably sure you are not served with malware if someone trustful checks the app sufficiently. This is quite different to the work they are doing right now and if you don´t commit fully to this work then reputation is quickly damaged.

But yes, I´d be totally for creating a SAFE foundation and building trust between users. I just wanted to point out that Maidsafe may not do it and other people will speak up against it because they think it´s “centralized”.


#7

I think this does not matter so much mainly because even if apps.maidsafe.org curators may unwittingly Ok a malware App for a time, sooner or later it will be found and removed. Imagine the alternative I present above: State/crime group invested some $ to make their App Hub the best in town and are serving up Apps with malware attached or integrated. Some of the more vigilant and caring in the community know this but still new users keep going there over and over as it has the Network effect being the biggest most visible and well funded hub in town. There is no way to remove the malware app or have it taken down. You cannot warn anyone easily because we are talking new users here and they may not come to the forum or website your trying to raise the alarm on. This is the nightmare scenario already has precedents. I suspect it will happen sooner or later when the Safe Network takes off and go more mainstream, begins to attract the attention of the Military-digital complex and other crime gangs.

@Viv comment appears to apply more to Safe Apps served on the Safe Network. I am specifically talking about Web facing App store hubs for promoting and providing Safe Network apps to new users not yet on the Safe Network.


#8

Yes, I hadn’t made the distinction at first. I just edited my reply. You can read it again :smiley:


#9

I think that is a great idea and don’t get me wrong, the more hubs the better to avoid centralisation, but this also highlights the point I am making. Your one guy (maybe a small independent team) as opposed to the Maidsafe foundation. Hypothetically imagine it turns out that you also happen to be a state funded “cyber spy” tasked to infiltrate new privacy enhancing tech like the Safe Network. Or at some point down the road one of the three letter agencies start to lean on you to bundle malware with Safe Apps - Before Snowden you could just say that is not likely, but now the evidence is in, it is a common occurrence at least in the UK and US. So now apps.xxxxxx.org becomes one of the first, best and biggest App serving place, that also serves malware. The rest of the community will not be able to take it offline or easily warn new users even after it is discovered.

A Maidsafe Foundation run app store can take steps to make sure this is much more difficult to do. Distribute and decentralise curators and administrators, chop and change them if problems arise. It is much more robust and would be something in the communities best long term interests. The Maidsafe Foundation is the natural organisation to set this up, anyone else no matter how good their intentions may be would be a bigger risk for the community to make their Number 1 web Safe App store IMO.


#10

Yes, I understand your concerns.

The ideas I am suggesting are more for the short term, with the goal of having a simple app store website that works.

In terms of security, I think we are pretty safe if the apps are open source and if the binaries are built in a way that is reproducible.

I imagine there will be multiple web app stores, but it would be good for sure to have one that is maintained by a group of community members. It could be set up by the MaidSafe Foundation like you said.


#11

We are not safe at all just because there is open source, please don’t ever assume that! As heartbleed proved, open source is far from any guarantee of safety, even after decades of “eyeballs” looking at the code. In addition a bad actor App store hub would just serve compromised binaries knowing that only a small fraction of users know (and even less bother) to compile their own. Of those that do almost none will security audit the code.

Without doubt there will be compromised and bad actor App serving hubs when Safe Network takes off - the best defence we can have is to establish a relatively trustworthy website to be the main hub with distributed checks and balances. Who else but Maidsafe can really do that credibly? Anyone else could be compromised sooner or later. If Maidsafe will not be implementing it then it would be healthy for the community to hear that stated now before network launch, and perhaps an explanation as to why not (is the situation I have outlined not considered a credible threat?). Then perhaps a plan B can be found - if this is delayed until after Launch and after some bad actor or easily compromised hub has already established itself as the main place to go for Safe Apps, then it is already too late.


#12

Well it can’t be centralised if you can always go somewhere else for Apps, so this is not really a credible excuse for Maidsafe not implementing apps.maidsafe.org, especially given the (likely) scenario I have pointed out. Denying new users a relatively trustworthy apps.maidsafe.org is a much bigger security threat to the Safe Network, wouldn’t you say?


#13

I don´t think this is about excuses. Maidsafe doesn´t have to do it, even though it might be senseful. I don´t see the point in the alternative you present:

If that would be the case - following your own logical argument (“sooner or later [malware] will be found and removed”) - people would quickly stop to use that App Hub and use one that already built more trust. That can be anyware. People tend to trust sourceforge and download tons of GB every day - SF could easily use the network to distribute malware, but there´s a reason why they won´t.

Well, it´s one of the catches coming along with decentralization that you cannot simply trust a source. Relying on others always comes at the cost of risk. Trust will have to be built - if not by Maidsafe, then by others. Has always been this way. The truth is, there´s any difference whether Maidsafe does this or I do it. The only difference is that you tend to trust Maidsafe and not others, but that trust could be wrong same as your lack of trust in me. We have to deal with it.


#14

That comment only applies to apps.maidsafe.org. The bad actor hub will not remove anything.

Only already burned users. Remember I stated that new users will continue to go to the compromised App site as it has the market lead and the network effect/marketing dollars behind it to suck new users not familiar with the Safe Network into using it as their onramp.

Strongly disagree, mainly because Maidsafe the foundation already has significant amounts of reputation and trust plus the capacity to make an website Safe App download hub that it resistant to pressure for adding malware, and can already be trusted to do the right thing when malware sneaks past community curator(s).


#15

I already said that:

“The only difference is that you tend to trust Maidsafe and not others, but that trust could be wrong same as your lack of trust in me.”

If Maidsafe decides not to do it you appear to expect chaos, I expect the rise of a trustful alternative.


#16

@whiteoutmashups and I had discussed about an apps.safenetwork.io site in September; however, we had to figure it out ourselves how to get it up which involved me figuring out nodejs…

We came up with a design like this:
People register with the apps.safenetwork.io page;
Once registered people can post a new app to the board.
All apps are published in the Warning zone.
Mods from the community are appointed:
Mods test the app for malware/read the source code to check for malware

There is an approved-apps Webpage that is the homepage of the apps.safenetwork.io where mod approved apps go to.

But still everyone’s app can be seen; and ony really offensive and malware would be voted off of the system by the moderators.

Wanted to mention also: teams should be able to be formed, and it sounds like github pull requests into the apps. webpage would be important since it filters what gets submitted and that’s where I left off


#17

Chaos certainly not that’s a bit of a cheap shot, distributed is the much more robust as I have said several times in this thread alone I believe. However might I point out: Web sites on servers over http are not truly distributed even one setup properly by Maidsafe to be pseudo distributed and controlled across continents like wikileaks.org does it. In the absence of a pseudo distributed Maidsafe Web App store then we are likely looking at one, maybe two Safe App websites run by unknown individuals rising to be the most popular, as happens with most web properties: Highly centralised, with much higher chance of being easy targets for malware pushers. Other websites serving Apps will be insignificant in volume by comparison.

Judging by @dirvine likes on your posts and lack of reply to the points I raise, it appears he agrees with you, and so I disappointingly concede, I have said what I wanted to say. I really hope I am wrong, but going on what has happened in Tor universe I doubt it. If they can’t get in by the front door they will try go in through the back, seems to be the Military-digital complex and criminal organisation motto.


#18

To join the philosophical debate. In any apps hub you only need to download malware once.

So if you just now heard of Safe Network and go to google and some wealthy person was to advertise their site and promote malware… well it’s over for that person who naively went and downloaded that.

The solution is to use our own prominent site and use several trustworthy people who know how to scan for malware. And also to limit to open source that gets approved by the ‘apps store’

Even you eventually delete it; you will get plenty of victims still by the time its deleted, so there is a need for moderation. And also obscurity between what is already scrutinized and what is not yet tested.

And malware uplaoders already know eventually it gets found they dont care… and that’s the model of their strategy so it doesn’t help to let moderation “eventually it gets removed”

All new apps go in quanrantine until approved by several trained people. and early filtration system kind of like how google works you can’t share ‘suspicious code’ that one is over reactive where anything with executable code might be considered a virus; but something that is filtering for obvious issues with the code; and then if it is being overreactive a forum thread can be made to evaluate the app;

An idea: what if this process is extraordinarily cumbersome are there more apps and source code than people and time to check them?


#19

[quote=“dallyshalla, post:16, topic:6042, full:true”]
@whiteoutmashups and I had discussed about an apps.safenetwork.io site in September; however, we had to figure it out ourselves how to get it up which involved me figuring out nodejs…[/quote]

I applaud any and all for wanting to setup Web facing App serving websites but the first most fundamental question is: What is your plan when Homeland security (or equivalent, but I assume your in the US) come knocking telling you to install malware - frustrated that they cannot compromise the privacy juggernaut Safe Network directly? How will you distribute and mitigate this likely event, given that you will be unable to talk or warn the community about it under threat of imprisonment? Are you prepared to do all the tricks Wikileaks.org has had to do to stay credible (and even then it is hard)?


#20

I think that regardless of where anyone is they are under some threat of attack by ‘homeland security’

And also with Safe Network I think it will be easy to stay anonymous; and even host the backend to the apps.site to the safe network… so; I think we’ll be OK