Snap and Flatpak represent the two dominant approaches to universal Linux application packaging. Both promise that applications run in sandboxes, isolated from the host system and from each other. Both use containerization technologies under the hood. And both have security models that are more complex and more limited than their marketing suggests.
For security teams evaluating which format to support, or whether to support either, the details matter more than the promises.
Snap Security Model
Confinement Modes
Snap packages run in one of three confinement modes: strict, devmode, and classic. Only strict confinement provides meaningful security isolation.
Strict confinement uses AppArmor profiles and seccomp filters to restrict the application's access to the host system. The snap can only access resources explicitly granted through interfaces. This is the default for snaps published to the Snap Store.
Devmode disables confinement for development purposes. Applications run with full system access but log confinement violations. Devmode snaps are allowed in the Snap Store but are only installable with an explicit flag.
Classic confinement gives the snap full access to the host system, equivalent to a traditional deb package. Classic snaps undergo manual review before being accepted into the Snap Store, but once installed, they have no sandbox restrictions.
The security problem is that many popular snaps request classic confinement because their functionality requires access that strict confinement does not provide. IDEs, development tools, and system utilities frequently run in classic mode, eliminating the sandboxing benefit entirely.
Interface System
Strict snaps request access to host resources through interfaces. An interface is a named connection between a snap and a system resource: network access, file system access, camera, microphone, and dozens of others.
Some interfaces auto-connect, meaning they are granted without user approval. The network interface, for example, auto-connects for most snaps. Others require manual connection by the user or administrator.
The risk is that users auto-connect interfaces without understanding the implications. A snap with home interface access can read and write the user's home directory. A snap with the network interface can communicate with any remote server.
Store Review Process
Canonical operates the Snap Store as the sole distribution channel for snaps. Automated checks verify that snaps do not use prohibited interfaces, that strict-confined snaps do not request excessive permissions, and that the package metadata is valid.
Manual review is required for classic confinement and certain sensitive interfaces. However, the review process focuses on policy compliance rather than malware detection. A snap that follows the store's policies but contains a backdoor in its application code would not necessarily be caught by the review process.
Flatpak Security Model
Bubblewrap Sandboxing
Flatpak uses Bubblewrap to create sandboxed environments with Linux namespaces. Each Flatpak application runs with its own PID namespace, mount namespace, and network namespace (when configured).
The sandbox restricts the application's view of the host filesystem and limits which system calls it can make through seccomp filters.
Portal System
Flatpak's portal system mediates access to host resources through D-Bus services. When an application needs to open a file, it requests access through the file chooser portal, which shows a native file dialog. The user selects a file, and only that specific file is made accessible to the application.
This is a more granular permission model than Snap's interfaces. Instead of granting broad filesystem access, portals grant access to specific resources chosen by the user at runtime.
Permission Escalation Risks
Flatpak applications can request filesystem access through their manifest. Common permissions include access to the user's home directory, the host filesystem, or specific paths. Many Flatpak applications request broad filesystem access because they were designed for traditional desktop environments where full filesystem access is assumed.
The --filesystem=host permission effectively disables filesystem sandboxing. When evaluating Flatpak applications, check their permissions in the manifest before trusting the sandbox.
Flathub Review
Flathub is the primary Flatpak repository. It accepts contributions from the community through a pull request process. New applications are reviewed by Flathub maintainers, who check for correct metadata, appropriate permissions, and build reproducibility.
However, the review process has capacity limitations. With thousands of applications, reviews can be delayed, and the depth of security review varies.
Security Comparison
Sandboxing Effectiveness
Both formats provide meaningful sandboxing when applications use restrictive permissions. Both fail to provide meaningful sandboxing when applications request broad access to the host system.
Flatpak's portal system provides finer-grained access control than Snap's interface system for desktop applications. Snap's AppArmor-based confinement may provide stronger isolation for server-side applications where portals are not relevant.
Supply Chain Verification
Neither format provides strong supply chain verification. Snap packages are built by publishers who control their own build processes. Flatpak applications on Flathub are built from manifests that reference upstream source code and dependencies, providing some transparency.
Neither format requires reproducible builds, code signing by the upstream developer, or SBOM inclusion. The supply chain trust rests on the store review process and the publisher's reputation.
Update Mechanism
Both formats support automatic updates. Snaps update automatically in the background. Flatpaks update when the user or system triggers an update check.
Automatic updates improve security by ensuring patches are applied promptly. They also mean that a compromised update propagates quickly to all users.
Recommendations
Audit Permissions Before Installation
Do not install snaps or flatpaks without reviewing their permissions. Classic-confined snaps and flatpaks with --filesystem=host provide no sandboxing benefit.
Prefer Strict Confinement
When choosing between applications that offer both snap and flatpak versions, prefer the version with more restrictive permissions.
Monitor Installed Packages
Track which snaps and flatpaks are installed across your environment. Monitor for permission changes in updates that might escalate access.
How Safeguard.sh Helps
Safeguard.sh provides supply chain visibility for software deployed through any packaging format, including snaps and flatpaks. It generates SBOMs that reveal the dependencies bundled inside each package, identifies known vulnerabilities in those dependencies, and tracks the software inventory across your organization. When a vulnerability is discovered in a library commonly bundled in snap or flatpak applications, Safeguard.sh identifies every affected installation.