Malicious apps

robert · March 13, 2019, 4:42am

Hey Blockstack!

After being introduced to this technology at TreeHacks I’ve reflected on it and came across a question:

How are malicious apps detected and managed?

For example, say we have a messaging application. What prevents the app from sending a message directed from Alice to Bob to–say, Eve? Surely if the code was open-sourced, it could be audited–but I don’t believe open-sourced projects are mandated by Blockstack.

Thanks!

jude · March 13, 2019, 3:10pm

Blockstack applications are realized as Web applications, so anything a Web app can do, a Blockstack app can do.

New Internet Labs – a Blockstack-based start-up – is working on a Blockstack-specific Web browser that mitigates some of this, such as preventing data exfiltration and stopping apps from running 3rd party code. However, because Javascript itself is a Turing-complete language, there’s no universal way to prevent an app from doing something like incorrectly encrypting your data (or encrypting it to the wrong person). The best we could do for these kinds of malicious apps is de-list them from app.co and maintain a list of known-bad applications that can be used to warn the user not to use them.

josephfoboyle.id · March 13, 2019, 4:02pm

@jude, maybe we are all looking at this wrong, Its not about the app its about the creator(s) of the app. Maybe an app developer(s)/Company is vetted in the app submission process?.? Kind of like vote.blockstack.org but on the individual?.?.?

If i was putting together a team to develop/fork dApps for my clients, I would need to be able to trust developer/code. Especially with Healthcare apps or apps that monitor whereabouts of car or individual.

My worries today is, the criteria of an app is based on if you keep the data only in your own bucket. I own a healthcare app today that in the future, I would like to connect to blockstack and it needs to work as described below

Dr logins (with a blockstack.id)
A doctor scans the persons foot, a 3d object is created, then they fill out a form for that particular client.
In the future, I would like to have patient login (with a blockstack.id) and when the data is saved it would be sent to 2 buckets

The doctors office bucket and the patients bucket.

Would that weight the system differently? Thanks again for your knowledge

hank · March 13, 2019, 4:05pm

No, I don’t think we would ever penalize you for storing data in multiple Gaia buckets. That is a valid use case.

josephfoboyle.id · March 13, 2019, 5:08pm

Thanks Hank.