Are AppImages a general security risk?

I have heard that AppImages depend on an outdated library.
But I need AppImages for some application’s like Cryptomator, that are buggy as a Flatpak.

Is it ok to have some AppImages on the system?

It depends on your threat model.

It’s best to avoid them so I’d recommend reporting any bugs you find with the Flatpak to Cryptomator. In the meantime it might be better to install it from one of the repositories they endorse (PPA, AUR, Nix) if any of those apply to you. If your distro isn’t supported and you really wanted to avoid AppImages you could mess with Distrobox, but it can take time to learn and has its own downsides.

I use Appimage to run many apps on various computers (PrismLauncher (because new versions don’t support offline bypass, but that’s not the topic), VeraCrypt (because updating manually is hell), StandardNotes and some more video/photo editing software)

It is not “security nightmare” but it acts as raw BIN, so it can abuse rights because of lack of sandbox and it is still “no trust = do not run” approach.

P.S: Hashes and virustotal are always good approach, but this isn’t bulletproof.

Actually, I did not found any serious problems with Cryptomator in flatpack version so far.

I believe much of the security concern brought up by @Kabo are around appimage reliance on the outdated and unmaintained fuse2 library, and not sandboxing concerns^[1].

1. Though sandboxing concerns are equally valid in my view ↩︎

Correct me if I wrong, but isn’t Cryptomator also use fuse2 to mount volumes?

As far as I can tell, no Cryptomator does not use fuse2 on Linux, and requires fuse3 instead.

Reference: Volume Types | Cryptomator Documentation

Linux-Based OS

FUSE

Requirements: Linux, fuse3 installed

FUSE on Linux works only if the fuse3 package is installed. Luckily, fuse3 comes pre-installed on many Linux distributions.

Note: this requirement is separate from the appimage requirement for fuse2 to be installed.

But I need to get the job done and can’t wait till they someday patch the bug

PPA seems like its an Ubuntu thing?

The other two are specific to distro’s I don’t use.

Isn’t this to much overhead?

Yes, although I prefer Flatpak mostly because of sandboxing, in the case of Cryptomator, it needs very strong permissions that allow sandbox escape anyway.

So I wonder, is AppImage a security risk, even if you assume that the dev’s are not malicous?

The newer appimage runtime does not use fuse2 anymore.

I think every threat model should prefer not to use outdated libraries

Thank you for your perspective.

Report it and use the AppImage in the meantime?

I’m just presenting what officially endorsed packages they offer as alternatives. If you can’t or don’t want to use any of them, you’re obviously stuck with the AppImage (or an unofficial package which has its own risks) until they resolve the Flatpak bugs which can only happen if you report them.

When in doubt, wrap it in a vm. Your distro should have boxes or virt-manager.

So does the Cryptomator .AppImage use outdated libraries or not?

Since it doesn’t specify --runtime-file, it uses the default runtime, which doesn’t use the unmaintained version.

I now tried to use the Cryptomator AppImage, but if I try to integrate it with AppImageLauncher it gives an error message “Failed to register AppImage in system via libappimage“.

And if I try to run it without integration, just nothing happens.

This should help you

Is the default runtime distribution specific?

No, it depends on how the appimage was built by the developers.