We recently introduced auto-updates of our apps for Windows, Mac, and Linux, bringing the same convenience that iOS and Android users have enjoyed with auto-updates through their app stores.
This means users of all our apps on major platforms get the latest version of ExpressVPN when it becomes available, without the need for downloads and installation. It’s always important to get the most up-to-date security enhancements, as well as new features and performance improvements.
Auto-updates are particularly useful for users who are located in countries with internet restrictions and may not always have easy access to the ExpressVPN site to perform manual updates of their apps. With this new feature, the apps will automatically update when a new version is available, ensuring that all users can always stay digitally connected and protected.
Here we outline our considerations when designing this feature, and some of the key engineering decisions we have made to deliver this feature securely.
Security challenges with auto-update
Auto-update might not seem like a major feature for most users; people are accustomed to auto-updates on their phone apps. And in fact it is generally considered good security practice for users to enable auto-updates. On the flip side, having nearly all customers using the latest version of an app carries benefits for app makers, who don’t have to expend effort and resources to ensure compatibility for users still on older versions of the app.
However, there is potential for catastrophic results when auto-update goes wrong, in terms of security.
Two things need to happen for an app to update automatically. First, the app needs to know there’s an update. This means the software developer broadcasts a message when an update is available, which in our case happens weekly. Once the app knows there’s an update, the second part is delivering it to the app. This is where bad things could happen.
When an app offers auto-updates, if the feature is not secure, it could become an entry for malicious actors to launch a supply-chain attack, in which malware gets delivered to users. We’ve seen several instances of major technology companies, including PC makers, releasing software and hardware to customers that had been infected with malicious code at some point during development or distribution.
When software gets installed, we need to verify its integrity—that it hasn’t been tampered with. As an example, someone tampering with a file could add a backdoor into the installer, so after the update is installed to the app, the attacker could go through the backdoor to take over your computer. An attacker could also swap out one installer for another. So the other aspect that needs verification is the software’s authenticity—that it really came from us.
When we install something for a user, the user places their trust in us. It’s similar to letting somebody into your house to do something in your home; you implicitly trust that person not to have ill-intentions. We’ve designed processes to prevent contamination to our code during the development cycle, safeguards that have been independently examined by auditors at PwC Switzerland. And our auto-update implementation maintains the authenticity and integrity of our code as it is delivered to our desktop app users.
Key considerations in implementing auto-update
It’s a classic engineering question: Do you build something yourself or buy the capability from a third party? Companies (including us) tend to use well-vetted third-party solutions wherever possible for greater efficiency.
But in the case of auto-update, a third-party service would be given a lot of power on your computer. We also realized that because of the complexities of such services, which had many features we didn’t need, lots could go wrong. Our internal security reviews found ways those third parties could be used to defeat security guarantees we were trying to put in.
For auto-update in our Mac and Linux apps, we opted to use the native operating system mechanisms. So we were buying the capability, but from one of the safest sources—the OS vendors, not other third parties. What this means is the operating systems know how to check if the software is coming from us, and we just need to present them with the right signature and credentials to perform updates.
Native mechanisms on each platform have been tried and tested, proving themselves to be secure. In addition, staying close to the native experience is more intuitive for our users already accustomed to each platform. On macOS, our installers use the standard .pkg format. This .pkg file is signed with a certificate issued by Apple and verified by macOS’s Gatekeeper technology. On Linux, instead of crafting custom scripts, we deliver updates via distribution-specific package managers (APT and YUM). These package managers are both secure and familiar to Linux users.
During the development process, we also created extensive threat models for our Windows, Mac, and Linux auto-updates, a structured way to ensure all possible security threats were surfaced and mitigated. This resulted in some common design decisions across auto-update on all three platforms, no matter how the feature was implemented:
- Update packages are cryptographically signed to ensure authenticity and integrity. This means using public key algorithms to sign data with a digital signature, with someone else verifying the signature.
- Update packages are saved in restricted directories on-disk to prevent tampering that could result in “time-of-check to time-of-use” (TOCTOU) bugs. This refers to the time gap between the last time software was checked and it getting used, during which someone could have tampered with it.
- Update processes include version checks to prevent downgrade attacks, which cause software to drop to an older, possibly less secure version.
We’re proud to say that we implemented auto-update on all three ExpressVPN desktop apps that followed these requirements, ensuring security, while also achieving ease of use for the user.
Streamlining your experience
Implemented securely, auto-updates ensure our users get the latest versions of our apps without requiring them to do anything. To enjoy auto-updates on Mac, Windows, or Linux, you might need to manually update your app one more time, in case your version is old—but it will be the last.
Protect your privacy with the best VPN
30-day money-back guarantee