Today Christopher Soghoian from the American Civil Liberties Union sarcastically thanked the Department Of Justice for journalist Seth Rosenblatt telling people to turn off app auto updates in his article for the parallax called ” how to FBI proof your android“. Now let me explain a couple things about app auto updates. You can automatically update your apps and expect to get the latest updates and security fixes, yet at the same time you are opening yourself up to malware being distributed to apps on your phone. This isn’t theoretical, it actually happened last year to the Apple app store last year where the app store itself was hacked and 85 popular apps had malware added to them. Anyone who allowed auto updates on the iphone had the malware put on their phone.
This isn’t the only incident of this happening, but when it does happen it isn’t usually talked about much. I want to make something else clear Christopher and I are both promoting privacy with app auto updates, but have different views on this topic. While the article being disputed directly references the fbi in the title, the article itself just has good advice on android app security.
If targeting auto updates on apps isn’t on your long list of things to check during a complete security audit, then you’re doing things differently then my company. While our list is quite long and we won’t make it public. Attacking auto updates is part of a complete security audit at my company planetzuda.com. If this isn’t on your list of things to test, then you may want to target app auto updates in the future. I can assure you this is most likely on any attackers to-do list.
How long should I wait to update apps?
This all depends on you, but I would advise to update at a maximum of 24 hours after the app release has been sent out. While I am aware this advice goes against other researchers, I am quite careful when it comes to privacy and look at every way a feature can abused, especially the ones that are supposed to help make you more secure like app auto updates. So to sum this up, I agree with disabling app auto-updates for privacy reasons.