How do you check your update integrity?

Options
bureaucrat
bureaucrat
Community Member
in Mac

With the SHA-1 now very much officially broken, I started to wonder with the 6.6.1 update just installed as I type, I have to wonder how you check for update integrity? Surely the application contacts the server for updates but how do you protect against man-in-the-middle attacks such as DNS spoofing, weak hashes (MD5 and SHA-1 come into mind) and bad certs? I could monitor the network traffic with Wireshark (and dive in with Xcode Instruments) when update process is initiated but unfortunately I can't spare the time for it right now. Perhaps later. That's why I'm asking. You don't have to dive into the details of course but I would love to hear a confirmation that no SHA-1 is used in your update procedure to verify file integrity. I know it's not that bad if you can be absolutely sure that all traffic was initiated and completed in strongly encrypted channels. I'm just a very suspicious chemist wanting to learn as much as possible. Thanks!

1Password Version: 6.6.1
Extension Version: n/a
OS Version: MacOS 10.12.3
Sync Type: Not Provided

Comments

  • rickfillion
    rickfillion
    Options

    Hi @bureaucrat,

    That's an awesome question!

    The app gets a payload from the server. That payload includes a download URL as well as a URL that contains the MD5 of that download. MD5 is absolutely on the list of weak hashes. If we assume that an attacker could manage to somehow fool our app into talking to it, they could probably both feed us a different download, and provide us with an MD5 for it. So the only purpose of the MD5 sum in this case is to verify that the download was succesful and that what we have on disk is what the server provided. It says nothing about who provided it to us.

    The real check, the one you actually care about, happen after that.

    Before installing an update, we inspect it. We look at its codesignature and we make sure that it's signed with the AgileBits Developer ID certificate. It's a relatively straightforward check, and I wrote about it last week on our blog in Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm. See the section called The Eye Of The Storm. What we do is a simple check that says "this app must have our expected identifier, and be signed with our certificate" and of course we check to make sure that the app still passes its codesign designated requirements which ensures there's been no tampering.

    macOS gives us great tools for this, and we love to leverage them for this kind of stuff.

    If you have any more questions about this, feel free to let us know.

    Rick

This discussion has been closed.