I'm curious, what precaution is portableapps.com taking in the case of a said developer being infected with a zero day virus, injects/copy itself into an executable in a main portable program, and then gets redistributed unknowingly through the automatic program update feature?
How does a user know that they can safely update their programs without the fear of this happening? Are these apps being "portablelized" through a clean and secured environment?
Don't get me wrong, love the feature and apps, but really it's a legitimate question.
All base apps are scanned using 2 of the 'top 10' antivirus products before being packaged. Once packaged, the apps are digitally signed using a code signing certificate which is kept on a secured machine. All the apps also have built-in self check abilities so if they are infected after packaging, the installers will error and fail to install. The apps themselves are then hashed and the hashes are recorded in the updater/app store database. The database is stored in a separate location (logically and physically) from the download servers with separate login credentials. If a file were to be infected by a virus on, say, SourceForge's mirror network, the updater would automatically detect that the file is corrupt/modified, refuse to run it, and alert the user. Incidentally, that's also how we find out when one of the 2 dozen mirrors gets an incomplete version of a file now and then.
In the case of publisher-maintained apps, much the same applies. We virus scan the apps before publishing them in the database. All the apps are hashed and the hashes recorded. And the updater/app store can detect when they are altered.
In the case of online installers, we use the same techniques and only link to a specific version of the base app for the installer to download. The app is scanned before we 'package' it and hashed. The has is similarly verified by the updater/app store as well as by the online installer itself. In the case where a publisher makes an app available for packaging in an online installer through a URL that isn't tied to a specific version, we host their base app ourselves in location that is version specific so that it works with our system and can be scanned, hashed and verified by the whole process.
In the case of a zero day vulnerability that somehow managed to infect the base developer of an app itself (if Mozilla's build environment were affected, for example), once the issue is realized, we have the ability to place a 'take down' EXE in the updater database/app store and have the platform let users know that there is an update available to remove the affected app.
Sometimes, the impossible can become possible, if you're awesome!
Thanks John for the prompt response. I would feel safer that you and your packagers are packaging these apps in a secure untouched environment every time than to scan the files with any or all of the top 10 antivirus on the market. Even with the most sophisticated antivirus on the market will not detect a zero day virus.
I do appreciate that you have already taken an approach to detect the file integrity of your releases and the effective means necessary when it arises. As portable apps are becoming more popular, with your releases being the central hub of it all, I would like to continue using it and still feel safe.
Please put security as a part of your top priority.
As the base app would have to be "imported" in such a safe enviroment, that action would "compromise" it - there could have been a zero day virus on its download location...
Zero day viruses are one of lesser risks, you have to accept in daily computer usage. There is no such thing as 100% safety, but 99% should do.
Unfortunately, I don't know that any of our publishers take such precautions with their base apps. Everyone I know of is built on connected machines from the small apps to the major ones with 10s of millions of downloads. So, introducing the level of security you mention after the point that a publisher could introduce a zero day wouldn't actually buy you any further safety.
Sometimes, the impossible can become possible, if you're awesome!
If security is your top concern you obviously don't connect your machine to the Internet, that way you are 100% secure. Yet, here you are posting.
Ed
he could be on a public computer.
Even if your router is offline telnet or even a DDoS attack is possible *if you're determined* is still a possibility.
stupid siggy