How To Write an Automatic Update System Part 2 – Security Considerations

This is part 2 of the series, part 1 is here.

Before describing how an auto-update feature might work I wanted to talk a bit about security, an auto update feature by definition downloads and runs program from the internet, your users trust you that your auto-update mechanism will only download and install updates to your software – don't abuse this trust.

The internet is a dangerous place, the bad guys might find a way to modify your web site – or to completely hijack it, when your program downloads updates it has to be 100% sure those updates are from you and not some hacker.

Verifying updates when you can't trust the source sound like a difficult task but it's not, that what digital signatures are for.

Just follow those simple rules:

• Don't ever write your own encryption or digital signature code.
• Always digitally sign your updates
• Don't ever write your own encryption or digital signature code – even if you think you know what you are doing.
• Embed the public key in your program.
• Keep the private key secure, never upload it to any internet server.
• Don't ever write your own encryption or digital signature code – even if you really know what you are doing.
• In your program never install (or even unpack) any file that doesn't have a signature or has an invalid signature, test those cases before releasing the software.
• Use a big key, larger then 1024 bits (1024 bits in the default in many systems and is still secure but may be cracked soon, just use a larger key). And finally, don't ever write your own encryption or digital signature code.

As you might guess from the list the most important thing is to use a digital signature library that is widely used and has been written and reviewed by experts, .net has System.Security.Cryptography, Win32 has CryptoAPI and most other platforms also have cryptography libraries – use them.

In the next post in this series I'll write about the inner working of an auto update feature.