RED ALERT
THERE IS A FAKE WISP ON ZAPSTORE!! DO NOT DOWNLOAD IT
GITHUB OR WISP.MOBILE ONLY
Login to reply
Replies (85)
Someone download it and find out what nefarious changes have been bundled in?? :)
who uploaded it?
I am doing that now
I saw something about if someone just searches the GH link it auto adds the project to Zapstore. Maybe that's it?
This raises an interesting question. My understanding is that zapstore only shows me curated apps from @Zapstore team and apps from my WoT. So how did this get in there?
Testing will now :)
Is it possible to have light theme?
I'm thinking that's it. I forked Wisp for testing purposes and did the search so Zapstore would index my version, but I didn't intend for anyone else to see it in Zapstore!
Still not used to the keyboard on GrapheneOS π
is this your fork?
I think so
Found it :)
Same with uninstall and update options... π΅βπ«
What's more troubling to me is that I cannot find the one you signed anymore when I search for Wisp.
I see both, if I scroll down to latest releases:
Odd. I don't see it there either:
Yeah this is super bad not even ranked by trust or anything @franzap people are probably getting rekt right now
This is an April Fool's joke.
I think the "fake wisp" is your github install that zapstore sees on your phone. People who do not have it installed, or only have it installed through zapstore, will not see it.
even if it is the same apk
No it's not there is a malicious repo on GitHub linked to this zapstore entry
Yep this i think could be checked like "only display updates if from the same source" if an app has different forks or publishers you only get if updated your fork
Almost fell for it.. i double checked the github acc and it was leading nowhere .. glad i didnt directly download it
What a good April Fool's prank...
When it doesn't have a user at the top it's the one signed by zapstore I think
I see now, it's another repo
I see both and both are indicated as installed, but I actually only installed the correct one because the other showed the signature mismatch I reported earlier, but @Zapstore offered it as ready for update. This is definitely unfortunate and needs to be resolved. 
Coming from iOS? I'm still having issues π
Way to get famous π
Lol
Comments on the one app appear on the other, too. @franzap guess there's several issues to be fixed here.
all part of being a good tester π«‘
I saw both in my @Zapstore update list, tapped to update the one signed by @utxo the webmaster π§βπ» then both updated simultaneously.
Quase que atualizei
βοΈππ«
π
Wait are they both fake?
now there's only the fake one
I deleted mine already because when I downloaded initially it was from Zapstore. Oh well
Just had the same with Amber.
Wasnβt me.
Coming from Android. It's just that I haven't setup the FUTO keyboard properly in different users
Ahh yes, same issue. I actually want to use the default keyboard but the one thing I'm missing the most is: moving cursor with spacebar swiping
Btw. are you using Tor in Wisp?
No, it shows all apps, but shows you who signed or zapped the app. I don't think WoT filters the apps.
Why I Obtanium. I can pull directly from the source I validate.
Still not the best but seems better than just accepting anything that just randomly shows up in an app store.
I get notified every five minutes that you've made an update. At least I know it's you, unless you pull an npm and become compromised.
flies and shit eh?
Amber and Amethyst have been like that for 3 weeks now on my app list on @Zapstore
Clear local storage, please
Clear local storage, it's fixed
Found it.
This would have been worse on Obtainium, actually, where you have *less* signals as to what is legit
Guys clear local storage, it's fixed
It shows you exactly who it came from and also if it's from a rando on Github
Are your sure it's not just the client formerly known as Ditto? π
It's the best thing about today π
Saw your post this morning. Didn't even need to clear my cache and @utxo the webmaster π§βπ» 's signed version was back and the other one was gone.
Thank you for quickly getting it fixed!
Something something imitation something flattery
Correct. If you choose to install an app for the first time, you will get an "are you sure?" type of message that shows whether anyone in your web of trust follows the publisher of the app, but that doesn't show up at all for updating.
It would be nice if @Zapstore showed WoT on the app information page prior to tapping "install."
Following your logic I assume you meant prior to tapping "Update"
What's the point of doing that?
Kind of a good red team test of Zap Store tbh
I wish I wore a red hat, I'm just a goofball tester π€£
No, the need for seeing WoT before updating is resolved by the fix you made today, assuming that was a general fix and didn't only apply to Wisp.
I'm talking about having WoT visible on the app info page simply because people viewing that page may find the information useful. If they have never installed the app before, they might use it as part of their decision-making process, or they may just want to see if the publisher is reputable before adding the app to one of their stacks, since others might view that as their endorsement.
Only having that information visible when a user hits "Install" means that users have mostly already made the decision that they're going to install the app before information that may have changed their mind is presented, and it means the information isn't visible at all for users who already have the app installed, but still may find WoT details useful for other reasons.
"Oh, my buddy Derek follows this dev? He probably uses this app too so I'll reach out to see how he likes it compared to X similar app."
Your choices are tard helmet or propeller cap
why not both?
Helmet with propeller would be sick
and tinfoil hat
I'm wearing a roman helmet to honor my ancestral roots and prevent my CTE from gettin CTE
π
Oh got it. Yes fully agree and its coming.
The update issue was always solved by Android itself.
don't forget lax and wrestling lol
Had some of the most brutal collisions in lacrosse
How?
UTXO has his GitHub in his profile, I can see the Wisp repository and the releases provided.
I add the URL and I'm done.
I've used my "WoT" to determine what I install.
Mine has a different logo. A more faded flame
Both Github users were also on Zapstore and prominently shown.
It's much easier to get phished with Obtainium as there is no additional web of trust layer.
All indexed apps on Zapstore, by the way, are pulled from their original location so its exactly the same as Obtainium in that regard
RED ALERT
THERE IS A FAKE WISP ON ZAPSTORE!! DO NOT DOWNLOAD IT
GITHUB OR WISP.MOBILE ONLY
It's clearly one of the two issues:
Naming
Caching
Off by one error
Yes, it works well
how many humans use zapstore?
Too long dont wanna read. Did I just cook my nsec yesterday or not? π
Was it a bad april fools or wtf? Would be nice to know if I should find a new nsex
Your nsec is safe, at least related to this zapstore issue
Cheers!