We recently introduced an auto-update feature to our app that offers the same convenience that iOS and Android users experience through their app stores.

This means that all users of our app on major platforms will automatically receive the latest version of Rice VPN without the need to download and install. Importantly, they will always enjoy security improvements and new features, while optimizing performance.
The auto-update feature is especially useful for users in countries with Internet restrictions, where they don't always have the ability to easily access VPN Rice's website to perform manual updates. With this feature, applications will automatically update when new versions are available, helping to ensure that every user always maintains a secure connection and best protection for their digital information.
We put many considerations into developing this feature, along with important technical decisions, to ensure the safety and stability of using this automatic update feature.
Security challenges with auto-updates

Auto-update is not an important feature for most users, as they are used to the auto-update process on their mobile phones. In fact, enabling automatic updates is often considered a good security measure to ensure users are always using the latest version of an application.
While having most customers on the latest version benefits app creators, there can be dire consequences in the event of auto-update problems. For an app to update automatically, it first needs to recognize that an update is available. This requires the developer to notify when an update is available, which was regularly sent weekly in our case. Once the app knows an update is available, the second part is delivering that update to the app, and this is where the risk can occur.
While auto-updates can be a target for malicious actors in a supply chain attack, some terrible consequences can occur if this feature is not secure. There are cases emerging in the technology ocean where major companies, including PC manufacturers, have been infected with malware at some stage during development or distribution.
As for security, the automatic update process can become a target for a supply chain attack, where malware can be inserted into the update distribution process. This creates a need to verify the integrity of the software after installation, to prevent tampering and replacement of the installer with a malicious version. This verification also includes checking the authenticity of the software to ensure that it is from a trusted developer.
During the implementation of automatic updates, we have established special procedures to prevent malware infections during the development cycle and have been independently audited by Singapore-based auditors. This helps maintain the authenticity and integrity of the code as it is delivered to users, and increases the trust users place in us when using our applications.
Key considerations when implementing automatic updates
This is a classic technical question: Will you build the capability yourself or buy the capability from a third party? Companies, including us, often prefer to use thoroughly tested solutions from third parties to achieve greater efficiency. However, in the case of automatic updates, using a third-party service means handing over a lot of power to your computer. We also recognize that the complexity of such services, which often come with many unnecessary features, can lead to problems.
Our internal security review discovered ways in which we could use those third parties to defeat the security measures we strive to build. For automatic updates in the application we decided to use the mechanism of the original operating system. This means we purchased this capability from the most trusted source - the operating system vendors rather than from other third parties. The operating system knows how to check whether the software comes from us or not, and we only need to provide a signature and authentication information to perform the update.

The native mechanisms on each platform have been tried and tested, proving their safety. Staying close to the native experience also provides better visualization for users familiar with each of our platforms.
During development, we built extensive threat models for Windows, Mac, and Linux to ensure every security threat can be detected and mitigated. This led to some common design decisions for auto-updates across all three platforms, regardless of implementation.
1.Update packages are cryptographically signed to ensure their authenticity and integrity. This is done through the use of a public key algorithm to digitally sign data, allowing others to verify this digital signature.
2.To prevent tampering that could lead to "time from check to time of use" (TOCTOU) errors, update packages are stored in limited folders on disk. This action is intended to minimize the time gap between the last time the software was tested and the time it was used. During this period, the risk of counterfeiting may arise.
3.The update process also includes version checking to prevent downgrade attacks, which cause the software to revert to an older version that may not be as secure as possible. This puts in place an important security mechanism to ensure that users are always provided with the latest and most secure version of the software, while avoiding the risk of older versions being vulnerable. .
Streamline your experience
Deployed securely, automatic updates ensure that our users always have the latest version of the app without them having to do anything. To enjoy the benefits of automatic updates across platforms you'll probably need to update your app again manually, if your current version is out of date - but this will be the first time. you have to do this eventually.
The automatic update feature not only simplifies the process, but also brings convenience to users. Also, to discover more about the latest features on our app, including "Rice VPN Lock", you can learn more about our built-in password manager.