Almost every mobile platform today comes pre-packaged with some sort of app store. For Android that’s Google’s Play Store, Windows Phone and iOS both have their own app stores, too. All of these marketplaces allow you to browse, search, find, and download apps for your mobile device. They each also let you update the apps that you’ve already installed on your device, whenever an update is published.
Facebook recently started updating their app — from within their app. If that sounds strange to you, it is.
The usual manner of updating would be by pushing a new version of the .apk to the Play Store which would then notify users that an update was available. The Play Store would then push the update to your device. This allows Google the opportunity to scan the new .apk for malicious code before it gets pushed to the smartphones and tablets of thousands upon thousands of users — but that’s not the way Google works.
Unlike some other platforms, Google doesn’t pre-screen updates to pre-existing apps before allowing users like you and I to download them. They don’t even pre-screen new apps when they’re submitted. Some would argue this is a bad practice and is inviting malicious software. Others would argue that it ensures that the “keeper” of the app catalog isn’t censoring apps, or excluding them because of some arbitrary reason. There’s logic behind both arguments.
Google can (and does) routinely scan apps in the Play Store for malicious code — then removes them not only from their store, but also from “infected” devices as well. Facebook’s new updating scheme bypasses Google’s security — sort of.
If a malicious coder wanted to do some hackery with Facebook’s app, under the “classic” scheme that hacker would have to be able to log in to Facebook’s Google Play account and replace the Facebook app with another that they’d put their own code into. Though not impossible, it’s unlikely — especially if Facebook is using 2-step verification for their developer account.
We don’t know exactly how Facebook’s new “in-app update” mechanism works, but, being a developer myself, let’s do a little theorizing, shall we? The updating mechanism would have to “know” about all the installed locations (the phones and tablets upon which the app is installed). This could be done by the updating service having a list of every device with the app installed (and probably the version and build number of said app on each device).
This type of updating could also be done by the app “phoning home” with its identity and build number to the updating server. The server would then respond with the updated bits of code for the app to install.
In Scenarios 1 and 2, someone would have to breach the account on either the Google or Facebook site and upload a malicious update.
In Scenario 3, a hacker could theoretically exploit an Internet vulnerability and masquerade as Facebook’s updating server, then respond with a compromised app.
In Scenario 1, the developer would also have to have access to Facebook’s app signing key — something that theoretically only a Facebook employee would have access to. In Scenarios 2 and 3, the Facebook app may or may not be doing signature verification on the update to ensure that it’s legitimate. If I worked for Facebook, I’d insist on that functionality and would put my job on the line if upper-management didn’t agree. If I were upper-management at Facebook, I’d listen to that passionate developer and ensure that signature verification was at the core of the updating mechanism — and delay the release of the self-updating app until that signature mechanism was solid.
In the end, Facebook (or any other app) bypassing Google’s systems to install updates inside the app itself isn’t likely to expose you, the end user, to any more risk than an update distributed via Google. It is, however, going to force each developer who wants to enable such a mechanism in their own app to reinvent the proverbial wheel — and as smaller developers start doing this, or managers who don’t understand security get involved, the risk increases significantly.
While the Facebook scenario is real, and isn’t likely impacting your security today, Google’s new app updating rules could potentially prevent negative experiences in the future. Luckily the rule was put in place now, so we’ll hopefully never know if the change protected us or not.