Ensure that uploaded .pbw files don't contain viruses

[TheTechmage]

See: https://github.com/pebble-dev/rebble-store/issues/5

[grebnetiew]

That's a rather open-ended issue :) I know some golang but very little about virus scanning, so I googled it and came up with this go package that uses Virustotal for scanning. In other words, we'd get an api key and upload every pbw file to them for verification.

It seems like this would create minimal dependency issues, as in: no need to install a server side virus scanner. However, the Virustotal API needs us to be noncommercial/free to customers (I'm not sure if we fit that, app "store" and all), and we'd have to contact them to get permission to upload files (as opposed to just getting reports of known files) and there'd probably be some kind of rate limit.

Thoughts?

[Avamander]

What would actually be a virus on Pebbles? I really can't think of anything to be honest.

[Klikini]

I don't think there are actually any known "virus" definitions for Pebble. However, the PBW file could be an executable that would harm a user's computer if they opened it. Protection from this may be a nice feature, but not a high priority one.

[sGerli]

This isn’t important until we launch a dev-portal, and the idea is to protect the phone, computer, and our servers.

[Avamander]

@Klikini Anyone who is dumb enough to execute a .pbw on a desktop computer and gets infected totally deserves it.

I don't see how a .pbw compiled for pebble, running on pebble could do anything malicious at all. Please give me some examples.

[sGerli]

You are right, added a low /extra feature label

[Klikini]

@Avamander I guess they could always run random infinite loops doing trig to drain your battery or spam your timeline with pins of ads, but these are just annoying and not permanently harmful.

[Avamander]

The thing with DoS and excess power usage is that it's impossible to differentiate apps that use a lot of power for legitimate purposes (say games) and those that aren't. If someone figures out how to differentiate these two types of software with 100% confidence I know you will have a billion dollar career in anti-malware or even code analysis and compilers (people would pay you a LOT to find out if their code is spending unneeded resources).

[phpeter]

What about just having a button on the app store to report the app? Then users can report it if it is using excessive battery, doing something malicious, or anything of the sort.

[wiseman13]

For a project at work dealing with user initiated uploads to s3 we used ClaimAV and it has worked pretty well for us.