Work-in-progress: A brief security review of permissions of curated apps on the elementary OS 6 AppCenter (see elementary/appcenter#1012 and elementary/appcenter-reviews#225 for context).
These are apps with --filesystem=home or above permissions that currently should not be allowed on the AppCenter (as per elementary/appcenter-reviews#225)
- Akira (https://github.com/akiraux/Akira/blob/master/com.github.akiraux.akira.yml)
- EasySSH (https://github.com/muriloventuroso/easyssh/blob/master/com.github.muriloventuroso.easyssh.yml)
- Taxi (https://github.com/Alecaddd/taxi/blob/master/com.github.alecaddd.taxi.yml)
- Trimir Journal (https://github.com/matthiasjg/trimirjournal/blob/main/com.github.matthiasjg.trimirjournal.yml)
I’ve only looked through the paid apps on the accessories section and it is clear that non-sandboxed apps have been allowed on the AppCenter.
We need a clear policy on this going forward.
- ScreenRec (featured in top carousel in AppCenter): https://github.com/dr_styki/ScreenRec is 404 (as are issues and help links). This essentially means this is a closed-source app on the AppCenter. I cannot verify what permissions it has or what it does.
- Homepage link on LookBook leads to danielfore.com which appears to have been taken over by a link farm. At least on one load, uBlock origin blocked the domain as known malware was being served from it.