I am writing an automatic update client. This is a very simple application, which:
1) Checks the central server to see if an update exists for any application
2) Download the installer from the server if a newer version exists
3) Run the installer
Besides server-side problems (for example, someone hacks our site and hosts a βnewerβ malicious application), what client-side security issues should I consider when implementing this?
My current ideas:
1) Checksum . Include the checksum in the .xml file and check it for the downloaded file. (Pre or post encryption?)
2) Encrypt the file . Encrypt the file using the private key, and let this program decrypt it using the public key.
Are both or both of them necessary and sufficient? Is there anything else I need to consider?
Please remember that this applies only to problems on the CLIENT PARTY. I have almost no control over the server itself.
source
share