KeePassXC: Beware of unofficial Microsoft Store listing

The KeePassXC team has also been trying to get their app into the store while this has happened. While this is nothing new in general, it&#x27;s yet another &quot;counterfeit&quot; app proliferating in what&#x27;s supposed to be considered a trusted source to be able to get your applications from.<p>This is a good example of how &quot;app stores&quot; tend to provide a false sense of security about what you&#x27;re really downloading. There are clearly failures in terms of vetting what&#x27;s there and towards ensuring that the user is actually getting what they think they&#x27;re supposed to be getting.<p>Perhaps the &quot;app store&quot; model is still generally better than downloading executable code from completely random sources (nobody should be doing that), but I&#x27;m not sure there&#x27;s anything more reliable (and also &quot;secure&quot;) here than downloading a piece of software from its official source (such as from a server under the domain of the known publisher), verifying hashes&#x2F;signatures, and leaving out as many intermediaries as possible who often have motives not fully aligned with the software user. Of course, this would require users to possess and be willing to use some knowledge of basic software and data hygiene, but it seems that along the way we have somewhat given up on that and so now we&#x27;re stuck trusting these intermediaries usually much more than they ought to be trusted.

I wouldn&#x27;t download anything from the Microsoft App store since it&#x27;s hard to verify the source.<p>This is a result of the failed strategy to explicitly <i>not</i> curate it and get as many apps as possible, no matter how bad they are.<p>I&#x27;d like to know what goes on inside of Microsoft for them to keep following strategies that appear doomed to fail from the start.

<a href="https:&#x2F;&#x2F;apps.microsoft.com&#x2F;store&#x2F;search?hl=en-gb&amp;gl=gb&amp;icid=CNavAppsWindowsApps&amp;publisher=CoderLearn" rel="nofollow">https:&#x2F;&#x2F;apps.microsoft.com&#x2F;store&#x2F;search?hl=en-gb&amp;gl=gb&amp;icid=...</a><p>Seems the publisher probably skates on a few other free software projects like filezilla &amp; vnc. I assume the free apps are simply spyware.

Is KeePassXC a registered trademark? I haven&#x27;t found any confirmation of it on KeePassXC&#x27;s website, nor on Wikipedia, so I guess the answer is no. A shame really. Trademarks would be so useful in such situations, which seem to recur in the open source world with some regularity.

Oh god MS store.<p>Recently I had to use windows. As a linux user for 2 years my first instinct is to install WSL and make the entire thing somewhat more palatable.<p>I Google the docs, install Debian through `wsl` command, start it through windows terminal.<p>It&#x27;s still debian stretch aka &quot;oldoldstable&quot;, that&#x27;s the only version wsl command lists.<p>I googled the issue and apparently you can install the same thing through MS store to get latest stable. This has to be a Stack Overflow answer with 5 votes, not MS docs website.<p>So I search debian again, there are one or two &#x27;app&#x27; listings, but no checkmark or verification on publisher. All apps look alike.<p>It doesn&#x27;t help they show reviews, but there will be max 20-30 reviews even for legitimate apps. These reviews are probably written by people like me whose first language isn&#x27;t English. But at the first sight they make the app seem even more suspicious.<p>If I recall correctly, unlike Google Play Store, MS store doesn&#x27;t list the download count either. Not that it would help much in this case of a relatively obscure installation, but would at least help against copycats.<p>VS code is also from MS, Store is also from MS, what a difference!

Wow, the fake listing even links to the official GitHub repo giving the impression it’s from the same org&#x2F;people.

I wish app stores had a rule to the effect of &quot;if you&#x27;re not the official maintainer of an open-source program, you can&#x27;t upload it without changing its name&quot;.

WTF, Microsoft?<p>You need to specify that you are using Visual C++ Redistributable? That&#x27;s wild. I thought MS Store should take care of such dependency and install it automatically.

I&#x27;ve generally found app stores aside from the Apple App Store and Google Play to be undesirable essentially for this reason. They don&#x27;t seem to adequately scrutinise whether someone should be permitted to publish a particular app. It&#x27;s particularly concerning to see free programs being sold by a third-party.

Update: offending app was taken down, looks like the official one is moving along <a href="https:&#x2F;&#x2F;mobile.twitter.com&#x2F;KeePassXC&#x2F;status&#x2F;1575670749188485125" rel="nofollow">https:&#x2F;&#x2F;mobile.twitter.com&#x2F;KeePassXC&#x2F;status&#x2F;1575670749188485...</a>

Has anyone tried looking into how this &quot;unofficial&quot; program was uploaded without any policy violations? Are they using some sort of code obfuscation or UPX to bypass automatic checks?

I&#x27;ve been in the same situation, filled in their contact form multiple times and I got exactly zero feedback, not even an acknowledgement. The app listing by a third party is still there.

Has anyone done any analysys on the bogus keepass? Describe what nefarious thing it is doing(I assume stealing passwords) and who it is sending them to?

Are you happy with KeePassXC? How is the usability?

That&#x27;s a &quot;problem&quot; with GPL, it&#x27;s immoral but it&#x27;s not illegal, since the license grant you permission to distribute and charge. Quite concerning though...