App Updates Without a server

KarenA · November 8, 2014, 9:37pm

I write apps for internal use where I work… We don’t have a server or even an intranet. Each unit has it’s own wireless router that connects directly to the net and we use gMail for company Email.

The main app uses an encrypted readonly database that I have up on Dropbox. The app automatically checks weekly to see if new versions of the database have been uploaded… If it finds one, it downloads it… The encryption key is hard coded in the app,copies of which only reside on internal machines. All other config information is in the encrypted database .

Up until now that has been fine… But the response to the PODDLE vulnerability has necessitated a new version of the app and distribution of that will be a pain…

I can’t use gMail to send an executable even if zipped, and I can’t put it on dropbox and send everyone a URL as that won’t work…

Some here have very little computer savvy (as well as Windows people on Macs and Mac people on Windows), some won’t install a new version on their own for various reasons (priorities etc), and since the encryption key is in the app, I don’t want to make an unencrypted version of the app itself accessible outside the organization for obvious reasons…

So distributing it this time will have to be old fashioned “sneakernet” and I will need to install it myself everywhere. I would like to avoid that in the future if I need to make more changes…

What I am thinking about is encrypting the App (well actually a 10.6 Version , 10.6+ version and a Windows version) and putting THOSE on DropBox and:

Have the App check for new APP versions on DropBox as well as new DB versions
Have the old App Decrypt the new version (which would have a different name), then the old app launch the new version (will that cause an issue in gatekeeper?) and quit
Have the new version check it’s name, if it’s the temp name , check for the existence of the old one, If it exists delete it and then rename itself

Is all of that possible on both Mac and Windows?

I Think MBS would let me handle the encryption and decryption of the apps, but is there something very secure I can use to encrypt the apps in the Crypto module? I don’t see AES there.

Thanks,

karen

shao_sean · November 9, 2014, 2:05am

Seeing as all the computers have access to the internet to get the new database, why not just do the same thing with new versions of the app and use a helper to do the actual updating so the users just need to click “Update” ?

Bob_Coleman · November 9, 2014, 2:50am

[quote=142184:@Karen Atkocius]What I am thinking about is encrypting the App (well actually a 10.6 Version , 10.6+ version and a Windows version) and putting THOSE on DropBox and:

Have the App check for new APP versions on DropBox as well as new DB versions
Have the old App Decrypt the new version (which would have a different name), then the old app launch the new version (will that cause an issue in gatekeeper?) and quit
Have the new version check it’s name, if it’s the temp name , check for the existence of the old one, If it exists delete it and then rename itself

Is all of that possible on both Mac and Windows?[/quote]
Should work. What I do on Windows is save the new version as MyProgram.update, have the running program rename itself as MyProgram.old, rename the update to MyProgram.exe then execute the update and terminate. Works quite well for standalone web servers.

Why not save all three versions as blob records in the encrypted database then just extract the version you want to install?

KarenA · November 9, 2014, 2:56am

That would make way too much data transfer for data updates… BUT I could create a secondary DB just for that… If that will work with SQLite!

Thanks,

Karen

Bob_Coleman · November 9, 2014, 3:03am

Then I would put a record in the data update indicating the current version so when that no longer matches it can check for the software update.

SQLite can handle very large blobs. The default is almost 1GB. http://sqlite.org/limits.html

Bob_Coleman · November 9, 2014, 4:59am

Here is the code that I have to handle the renaming and launch the new version on Windows.

[code]Dim fUpdate As FolderItem = GetFolderItem("").Child(“MyProgram.update”)

If fUpdate.Exists Then

Dim fProg As FolderItem = GetFolderItem("").Child(“MyProgram.exe”)
Dim fBackup As FolderItem = GetFolderItem("").Child(“MyProgram.backup”)

If fBackup.Exists Then
fBackup.Delete
End If

If fProg.Exists Then

fProg.MoveFileTo(fBackup)
fUpdate.MoveFileTo(fProg)

fProg.Launch
Quit

End If

End If[/code]
In my case I have this code in a timer event and I just upload a new version and the next time the timer event fires the server updates itself.

Michel_Bujardet · November 9, 2014, 10:01am

[quote=142184:@Karen Atkocius]I can’t use gMail to send an executable even if zipped, and I can’t put it on dropbox and send everyone a URL as that won’t work…
[/quote]

Back in the 80’s we used Binhex to send binaries.

I just zipped an app, then encoded it Base 64. GMail did not object to sending that. Then on arrival decode it, unzip and voilà.

Russ_Lunn · November 9, 2014, 5:04pm

could you rename the exe file so it didn’t have an .exe extension. then you can zip it and gmail it.

Bob_Coleman · November 9, 2014, 5:17pm

Personally I would not put anything with an encryption key in it through Gmail or any other email provider.

Michel_Bujardet · November 9, 2014, 5:53pm

That works.

Alexander_van_der_Linden · November 10, 2014, 10:02am

Put the exe as payload in a Word document… I have done that to surpass tight email security.

scott_boss · November 10, 2014, 3:36pm

our email server checks for .exes in .docs/.pdfs/.zips/etc and strips them away from the mail message. Anyone trying to pass along an executable in a “file” like that is a malware/virus and must be destroyed.

Alexander_van_der_Linden · November 10, 2014, 7:16pm

Rename the exe in exename.doc, store it in a Word doc and I doubt that your email scanner will recognize it. I used to do this in corporate environments. Storing it in a pdf works also.

scott_boss · November 10, 2014, 8:10pm

our scanners look at the contents of the .doc/.pdf/.zip/etc not just the name. We have been bitten by that before so they do “deep” inspection of the mail.

Michel_Bujardet · November 10, 2014, 9:15pm

Let’s not forget the question is from Karen who’s company apparently chose GMail, which is not exactly considered the most confidential corporate email server. She may be fine with a guised exe, or using Dropbox as she plans.

Bob_Coleman · November 10, 2014, 9:39pm

Considering the quote below, any of the email options listed above would be a non-starter.

Michel_Bujardet · November 10, 2014, 10:04pm

[quote=142517:@Bob Coleman]What I am thinking about is encrypting the App (well actually a 10.6 Version , 10.6+ version and a Windows version) and putting THOSE on DropBox and:

Have the App check for new APP versions on DropBox as well as new DB versions
Have the old App Decrypt the new version (which would have a different name), then the old app launch the new version (will that cause an issue in gatekeeper?) and quit
Have the new version check it’s name, if it’s the temp name , check for the existence of the old one, If it exists delete it and then rename itself

Is all of that possible on both Mac and Windows?[/quote]

Yes, what you describe is possible under Mac and Windows. And from what you describe works already, it is only a variation and should not pose problem with your current users.

Yes, email seems not to be the easiest way to go. The Dropbox encrypted automatic method is way better.