Automatic updates: A seemingly simple feature

2024, Jan 04

We recently introduced an auto-update feature to our app that offers the same convenience that iOS and Android users experience through their app stores.

This means that all users of our app on major platforms will automatically receive the latest version of Rice VPN without the need to download and install. Importantly, they will always enjoy security improvements and new features, while optimizing performance.
The auto-update feature is especially useful for users in countries with Internet restrictions, where they don't always have the ability to easily access VPN Rice's website to perform manual updates. With this feature, applications will automatically update when new versions are available, helping to ensure that every user always maintains a secure connection and best protection for their digital information.
We put many considerations into developing this feature, along with important technical decisions, to ensure the safety and stability of using this automatic update feature.
Security challenges with auto-updates

Auto-update is not an important feature for most users, as they are used to the auto-update process on their mobile phones. In fact, enabling automatic updates is often considered a good security measure to ensure users are always using the latest version of an application.
While having most customers on the latest version benefits app creators, there can be dire consequences in the event of auto-update problems. For an app to update automatically, it first needs to recognize that an update is available. This requires the developer to notify when an update is available, which was regularly sent weekly in our case. Once the app knows an update is available, the second part is delivering that update to the app, and this is where the risk can occur.
While auto-updates can be a target for malicious actors in a supply chain attack, some terrible consequences can occur if this feature is not secure. There are cases emerging in the technology ocean where major companies, including PC manufacturers, have been infected with malware at some stage during development or distribution.
As for security, the automatic update process can become a target for a supply chain attack, where malware can be inserted into the update distribution process. This creates a need to verify the integrity of the software after installation, to prevent tampering and replacement of the installer with a malicious version. This verification also includes checking the authenticity of the software to ensure that it is from a trusted developer.
During the implementation of automatic updates, we have established special procedures to prevent malware infections during the development cycle and have been independently audited by Singapore-based auditors. This helps maintain the authenticity and integrity of the code as it is delivered to users, and increases the trust users place in us when using our applications.
Key considerations when implementing automatic updates
This is a classic technical question: Will you build the capability yourself or buy the capability from a third party? Companies, including us, often prefer to use thoroughly tested solutions from third parties to achieve greater efficiency. However, in the case of automatic updates, using a third-party service means handing over a lot of power to your computer. We also recognize that the complexity of such services, which often come with many unnecessary features, can lead to problems.
Our internal security review discovered ways in which we could use those third parties to defeat the security measures we strive to build. For automatic updates in the application we decided to use the mechanism of the original operating system. This means we purchased this capability from the most trusted source - the operating system vendors rather than from other third parties. The operating system knows how to check whether the software comes from us or not, and we only need to provide a signature and authentication information to perform the update.

The native mechanisms on each platform have been tried and tested, proving their safety. Staying close to the native experience also provides better visualization for users familiar with each of our platforms.
During development, we built extensive threat models for Windows, Mac, and Linux to ensure every security threat can be detected and mitigated. This led to some common design decisions for auto-updates across all three platforms, regardless of implementation.
1.Update packages are cryptographically signed to ensure their authenticity and integrity. This is done through the use of a public key algorithm to digitally sign data, allowing others to verify this digital signature.
2.To prevent tampering that could lead to "time from check to time of use" (TOCTOU) errors, update packages are stored in limited folders on disk. This action is intended to minimize the time gap between the last time the software was tested and the time it was used. During this period, the risk of counterfeiting may arise.
3.The update process also includes version checking to prevent downgrade attacks, which cause the software to revert to an older version that may not be as secure as possible. This puts in place an important security mechanism to ensure that users are always provided with the latest and most secure version of the software, while avoiding the risk of older versions being vulnerable. .
Streamline your experience
Deployed securely, automatic updates ensure that our users always have the latest version of the app without them having to do anything. To enjoy the benefits of automatic updates across platforms you'll probably need to update your app again manually, if your current version is out of date - but this will be the first time. you have to do this eventually.
The automatic update feature not only simplifies the process, but also brings convenience to users. Also, to discover more about the latest features on our app, including "Rice VPN Lock", you can learn more about our built-in password manager.

News Related

May 23, 2024

What is the best VPN for Android?

Given how much we depend on our mobile phones, protecting them with a VPN is essential. VPN for Android encrypts your online activity and hides your IP address, helping you avoid unwanted tracking. Additionally, it helps people living under oppressive government regimes overcome censorship.To help
May 23, 2024

12 reasons why you should always use a VPN

1.Connect to public Wi-Fi securely Using public Wi-Fi networks poses many risks. Hackers can connect to the same network and easily access your data and personal information. This risk is even higher if it is an open network without password protection.To prevent others from accessing your emails,
May 23, 2024

Holiday cybercrime: a growing threat

Traveling to new destinations brings relaxation and new opportunities for discovery. However, besides the excitement, tourists also have to face the growing threat of cybercrime. Engaging with today's diverse cultures and landscapes requires vigilance against digital dangers that can disrupt
May 23, 2024

What is a VPN kill switch and how does it work?

You're sitting at your favorite coffee shop, enjoying a cup of bitter coffee and trying to get some work done online. Suddenly, your VPN loses connection without you even realizing it. This often makes your web browsing activity insecure, with the risk of being tracked by third parties such as
May 23, 2024

How to make your phone battery last longer

We've all been through this situation: We're about to meet someone important, but our phone gives us a red battery warning. At that time, you will usually apply one of two methods: continue using as normal and hope you arrive on time and find them without problems, or temporarily turn off
May 23, 2024

Email Writing Explained: A Guide for 2024

"Recorded email" - a term that when mentioned, people often associate with temporary and immediate. As the name implies, they only exist for a moment and are then erased. Think of them as records on cassette tapes, used only once and then worthless. In the everyday world, they are like
May 23, 2024

How to clear your search history

Each person's search and browsing history is a true reflection of their inner life, where preferences, thoughts, and interests are clearly reflected. In a digital world where information becomes increasingly easily accessible, protecting our privacy on the internet becomes extremely
May 23, 2024

How to use VPN for Starlink

In this day and age, satellite internet has become more popular, especially for residents in remote areas. Among satellite internet providers, Starlink is undeniably leading the way. However, like any other internet service, Starlink also carries potential risks. This makes using a VPN service more
May 23, 2024

How much do you care about networking when you're traveling?

Traveling to new destinations not only offers a different getaway and the chance to explore, but it also means facing the ever-growing gloss of cybercrime. Interacting with today's diverse cultures and landscapes requires vigilance against digital threats that can disrupt the peace of any
May 23, 2024

How to unblock blocked websites for 2024

It seems undeniable, and this is an annoying fact of life, that not everyone can access every website. Sometimes, it may be government agencies or your internet service provider that is blocking you. In other cases, the website operators may do it for some unclear reason. But no matter the
Exclusive Offer
Get your Free 30 days access