Hot patching: Resist, and hackers get the upper hand

Hot patching, a method of dynamically updating a system or application without downloading a new version or, in some cases, even restarting it, helps developers deliver bug fixes or enhancements to users quickly and automatically. Unfortunately, if we do not embrace hot patching—in spite of its potential for security exposures—the ones who stand to gain the most are hackers.

Download 93-Page ReportHPE Cyber Risk Report 2016

White hats versus black hats

In the world of hacking, there are good hackers and bad hackers. They're referred to as "white hats" and "black hats," respectively; white hats hack systems with benign intent (e.g., testing for security holes), but black hats hack for much more nefarious reasons (e.g., to steal money, information, or identities).

But where do developers who use hot patching fall? In the case of iOS app hot patching, it's unclear. iOS developers may mean well when updating their apps using a hot-patching method; however, when you circumvent the procedures and security measures put in place (Apple's security review and approval procedures), you expose users to potential security breaches. Some would consider developers who knowingly violate guidelines and security measures to be hackers.

Hot patching: Who do you trust?

The first potential security exposure to consider with hot patching relates to developer trust. Are you sure that the developer of the hot-patched app in question isn't adding code that accesses APIs or databases that are otherwise off-limits, such as photo album data and address book entries? Apple and Google both have policies that prohibit or control certain APIs and device data. Circumventing the app review process via hot patching is a way around this.

Next, are you sure no one is snooping on this process or intercepting and changing the code that's downloaded as part of the hot patch? With no controls over app updates, code submissions, and reviews, there's no way to be sure you're protecting user data. Even if the hot-patched code in question is innocent, it could be modified at some point in the unofficial update process. This includes exposure at the originating servers, while en route over the Internet, or even while it's being applied on the device.

Additionally, with unofficial hot-patching methods, there may be no way to prove that the patches are coming from the original developer. For instance, if a black hat discovers a vulnerability in the hot-patching facility built into a popular mobile app, malware can potentially be hot patched without the user or the developer ever knowing. These and other risks are described in detail online.

Some operating systems such as Linux have slowly built support for dynamic software updates (DSUs) into their kernels. Arguably, Windows Update is a DSU facility as well; it downloads and applies updates automatically, even if reboots are sometimes required. According to Microsoft, the Windows Update facility is secure because patches are downloaded only from trusted and secured servers. However, some are skeptical of any company's ability to guarantee security.

Resistance to hot patching is futile

In the Linux world, work is being done through facilities such as kpatch and kGraft to securely apply trusted patches without forcing users to reboot their systems. Essentially, the only difference between a Linux hot patch and an OS update will be the lack of reboot required. This hasn't garnered the attention in the mobile world that hot patching has, largely because it's a sanctioned technology built in a way to ensure trust.

As for the fate of JSPatch and other unofficial hot-patching methods, perhaps the best way to make them safe is for companies such as Apple to embrace them. For instance, while it's best that Apple search for and flag apps that include unofficial hot-patching code as part of the iOS app approval process, it should also consider a safe hot-patching alternative in which the facility used and patches being applied are proved trusted, safe, and secure.

If the hot-patching situation and debate prove nothing else, it's that there's a big demand for this technology. Fighting it won't prevent it from happening—it will only prevent it from being done safely.

Download 93-Page ReportHPE Cyber Risk Report 2016
Topics: Security