Supply Chain Attack

Good morning. Been a STRIP and then Codebook user for a number of years now.

Recently became aware of supply chain attacks wherein a piece of software might have its update process hijacked for a malicious payload - see Backdoored password manager stole data from as many as 29K enterprises | Ars Technica

Thoughts on this from the Codebook perspective?

Hi @phobos512,

Thanks very much for posting this and reaching out. It’s a topic (potential malware updates) that we take quite seriously, and timely in the sense that we have coincidentally been working on additional security improvements for how we deliver updates directly on macOS and Windows. There’s no one solution to the problem, but we have been employing various techniques and best practices over the years to help ensure it doesn’t happen to our customers.

All versions of Codebook (Android, iOS, macOS, and Windows) are code-signed, a technique that makes it possible to verify that an update has come directly from us and has not been tampered with in the time since. The operating systems use this signature to determine whether to launch an application and to identify and suppress it if it’s determined later to be malware. The private keys used to sign our apps are closely guarded and stored safely.

On Android and iOS, updates are managed and verified by the operating system. On Windows and macOS (outside the Mac App Store) we have to do some extra work to ensure our updates are secure. For instance, our software update mechanisms only check for updates over HTTPS.

Recently in Codebook for Windows we’ve updated to a newer and more secure signing certificate that should reduce the incidence of Windows SmartScreen Defender initially flagging legitimate updates due to the fact that when they’re first released they are by definition not widely-used. Codebook for Windows’s software update feature verifies the signature on updates before offering to install them.

On macOS, our updates–in addition to being code-signed–are notarized by Apple’s Notarization service, which checks our updates for malicious components. This also provides further protection later on if our signing keys are exposed, allowing us to work with Apple to revoke any updates determined to be malicious, preventing them from launching on macOS.

In the next version of Codebook for macOS, the software update feature is being updated to include an additional cryptographic signature check on all future updates, providing another layer of protection from potential malware delivery.

Those are the main areas of effort for us in terms of delivering secure updates. Please let us know if you have any questions!