The other day, the JoshMeister blogged about the Mac App Store and the effect of its approval delays in getting critical security updates to users.
Third-party Web browser maker Opera has released version 11.11 of its software, which fixes a "critical" security issue. Mac users who have downloaded Opera through the App Store may find themselves using a copy of Opera that is now two versions old, 11.01, which was released back in March and is vulnerable to the security bug patched in 11.11. Users who rely on the App Store to tell them whether their software is up-to-date may not be aware of the security risks and may continue to use an unsafe version of the Opera browser.
As the app store model becomes more popular on both smartphones and PCs, it's important to explore issues like this. What the JoshMeister doesn't mention is that centralized app markets can also help encourage users to keep software updated. It's much easier to have a single marketplace app, once per day or week, say "here are all the apps that have updates, click to update them all" than to have to manage each app individually. If this encourages users to keep their apps up to date, that's a positive thing for security.
Of course, this model requires two conditions to work effectively from a security standpoint. First, the updates have to be made available to users through the store in a timely fashion. Second, the updates have to be screened to ensure they're not violating the market's standards (e.g., they're not badware). Based on the delays observed with the Opera updates and other submissions to the Mac App Store, it seems that there is some tension between these two conditions. If critical updates for known vulnerabilities take substantially longer to get to users via the store than they would through an app's only automatic update mechanism, something needs to be fixed.
One potential improvement could be to allow vendors to flag certain app updates as containing high priority security fixes. The store could then prioritize those updates for approval. Of course, this could (and probably would) be abused on occasion by vendors trying to rush updates out to users, but I'd like to think such abuse wouldn't be so frequent as to be a major problem.
Another approach would be to prioritize approval of updates based on the popularity of the application. This would ensure that the most widespread apps would get patched more quickly than less used apps. I don't generally like options that give established vendors preferential treatment over new entrants to the market, but experience teaches us that criminals like to target badware at widely installed software.
Of course, the cynical side of me says that Apple and other operators of app markets care more about getting new apps into the market than getting security updates out to users. After all, new apps mean new revenue opportunities, as well as bragging rights. ("We have x apps in our store; our competitors only have y.") On the other hand, just as supermarkets get bad press and lose customers if they fail to take recalled products off the shelves, application stores may find their reputations suffering if users start facing security threats that could have been avoided. Here's hoping this will be enough incentive to get those stores to find solutions to getting critical updates out to users quickly and safely.