Patch Management: Keep an Eye on App Software Updates

November 19, 2021
| |
4 min read

You likely use apps every day, from trivial games to important transactions like your banking. It can be easy to forget to update them. But all of the data flowing through those apps has an impact on security. It’s important to apply software updates and patch management best practices to them.

At the beginning of 2021, Simform reported that the average person had 40 apps installed on their phones and split 89% of their time between 18 of them. Millennials had even more apps installed on their devices at an average of 67. Those respondents spent most of their time on just 25 of them. More than half (58%) of those ‘popular’ apps included social media, gaming and communication, with users turning to maps, finance and other apps on an as-needed basis.

It’s not just the fact that mobile apps are more prevalent on users’ devices. They’re more prolific in general. For instance, Statista found that the total volume of apps on Apple’s App Store reached 2.22 million in the first quarter of 2021 — 6.10% higher than it was the previous quarter. Google’s app marketplace witnessed a 10.60% increase in the volume of apps during the same period, as reported by the market and consumer data company in September. You don’t have to do manual patch management on all of them, but should be aware of how they update.

App Update Business Benefits

The key benefit behind the use of apps is personalization. This logic flows both ways. Consumers who use apps can expect a more convenient and personalized experience than from the same service’s web portal. Businesses can also mine more data from their customers from an app than from a website. Organizations don’t always know what to do with customers’ address books, calendars and other data, noted Marketplace, but collecting that data now gives them the chance to find uses for it later on.

That data collection carries privacy and security risks for users, however. Consumers might not know which pieces of information they’re giving up in using an app. They can use the privacy policy to get an idea, but each privacy policy is different. There are no standards or regulations surrounding them. As a result, it might not always be clear which types of data users are giving to an app — even one with a privacy policy.

As for security, apps can expose users to potential threats. Apps don’t always update on their own, after all. Attackers could use software flaws to access the information handled by those apps. They could also take advantage of app weaknesses to gain access to the devices and/or machines on which they’re installed.

Software Updates to the Rescue

The threats discussed above emphasize the importance of software updates (from the user side) and patch management (from the enterprise side). According to Norton, running software updates helps to prevent malicious actors from taking advantage of operating systems and apps to access sensitive information. This translates into more robust digital security not only for users themselves but also for their social circles. Indeed, attackers have used malicious WhatsApp mods and other device compromises to pass on their threats to other people in a victim’s address book. By keeping software updates in mind, users can reduce the attack surface.

Updates don’t just address security weaknesses, either. They’re also useful for introducing new features and fixing bugs. Some of those updates could therefore allow users to take more granular control of their data privacy or security. Others could help an app to work more seamlessly with an OS update on a user’s device. Failure to update could therefore affect the function of the app and, by extension, a user’s productivity in certain cases.

Software Update and Patch Management Best Practices

Users and organizations alike can make the most of their software updates and patch management by creating an asset inventory. This is the logic behind the Center for Internet Security’s Critical Security Control (CIS Control) 2. Software inventory can identify authorized software, a resource that security professionals can use to inform their efforts. They can subsequently leverage that inventory to remove software that’s unauthorized or unmanaged, thereby helping to reduce the attack surface.

At the same time, organizations can use an updated asset inventory to perform other critical security functions. Those initiatives include using CIS Control 4 to maintain the security configurations of organizations’ assets. To do this, organizations can set a baseline for how their software is expected to behave. They can then monitor that behavior against the baseline. If there’s any unexpected deviation, teams can take action to return the software and the way it behaves to the baseline.

Second, make sure you’re paying attention to patch management for critical software vulnerabilities. All vulnerabilities carry some level of business risk. That’s because different assets hold differing levels of value to the business. Know which of your critical assets could expose sensitive information and handle them first.

Finally, don’t run software updates while connected to untrusted networks. The danger here is that malicious actors could use an untrusted network connection to inject themselves into the update process. From there, they can install malware or profile the victim’s system for follow-up attacks. During this process, follow the U.S. Cybersecurity & Infrastructure Security Agency and use a Virtual Private Network connection to a trusted network before applying the updates.

Make Patch Management a Habit

Software updates and patch management are part of life in the digital age. It’s just like brushing one’s teeth: a regular practice for most people, but what that means differs from person to person. The hygiene is what counts. Indeed, by using the software update best practices discussed above, organizations and users can elevate software updates and patch management from something that might be inconvenient to something that lays the foundation for all security efforts and drives their interests forward.

David Bisson
Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...
read more