Ubuntu Snaps vs. APT: Which is More Secure?

TL;DR

Generally, Ubuntu Snaps can be more secure than traditional APT packages from the official repos, but it’s not a simple ‘yes’ or ‘no’. Snaps offer better isolation and automatic updates. However, they also have drawbacks like larger disk space usage and potential performance impacts. The best choice depends on your needs and risk tolerance.

Understanding the Differences

Let’s break down how APT (Advanced Package Tool) and Snaps work, then look at their security implications.

• APT: Installs packages directly onto your system. Packages rely on shared libraries and can modify core system files.
• Snaps: Packages are containerised applications that bundle all their dependencies. They run in isolation from the rest of the system, using a sandboxing technology called AppArmor.

Why Snaps Can Be More Secure

1. Isolation: Snaps run in containers. This means if one Snap is compromised, it’s less likely to affect other applications or the core operating system. APT packages have wider access and potential for systemic damage.
2. Automatic Updates: Snaps are automatically updated by default (though you can configure this). This ensures you’re running the latest security patches without manual intervention. While APT allows automatic updates, it’s not always enabled or configured correctly. You can check update status with:

   snap refresh

3. Permissions Control: Snaps require explicit permissions to access resources like your camera, microphone, network, or files. This ‘least privilege’ approach limits the damage a compromised Snap can do. You can view snap connections with:

   snap connections <snap-name>

4. Rollback: Snaps make it easier to roll back to previous versions if an update causes problems, including security issues.

   snap revert <snap-name>

Why APT Still Has Advantages

1. Performance: Snaps can be slower to start and use more disk space because of the containerisation. APT packages are generally leaner and faster.
2. Integration: APT packages integrate more seamlessly with the system, especially for core components.
3. Dependency Management: While Snap bundles dependencies, sometimes this leads to multiple versions of the same library on your system. APT’s dependency resolution is often more efficient.

Practical Steps to Improve Security (Regardless of Package Manager)

1. Keep Your System Updated: Regularly update both APT packages and Snaps.
   • For APT:

     sudo apt update && sudo apt upgrade

2. Use a Firewall: Configure UFW (Uncomplicated Firewall) to limit network access.
3. Enable Automatic Security Updates: Ensure unattended-upgrades is configured for APT if you choose that method.

   sudo apt install unattended-upgrades

4. Be Careful What You Install: Only install software from trusted sources.
5. Regularly Review Permissions: Check the permissions granted to Snaps and revoke any unnecessary access.
6. Consider Security Auditing Tools: Use tools like Lynis or Rkhunter for system auditing.

Conclusion

Snaps offer a stronger security model due to their isolation and automatic updates, but they aren’t without trade-offs. APT remains a viable option, especially if performance is critical. A combination of both package managers can provide the best balance between security and usability. Prioritising regular updates and good cyber security practices is crucial regardless of which method you choose.