Skip to main content

Securely Distributing Software Updates to Users

You've developed and tested a crucial security update for your app or game. Now, how do you get it to your users safely? The Cyber Resilience Act (CRA) mandates that you "provide for mechanisms to securely distribute updates" (Annex I, Part II, point (7)). This is vital because a compromised update mechanism can be a goldmine for attackers.

Why Secure Distribution Matters

If an attacker can intercept or tamper with your software updates, they could:

  • Prevent users from receiving legitimate security fixes.
  • Distribute malware disguised as an update from you.
  • Roll back your software to a vulnerable version.

Mechanisms for Secure Distribution

For most apps and games, common secure distribution channels include:

  • Official App Stores (iOS, Android, etc.): These platforms have their own secure update mechanisms, which largely fulfill this requirement for mobile apps and games.
  • Platform-Managed Updates (Steam, Epic Games Store, Consoles): Similar to app stores, these game distribution platforms handle secure update delivery.
  • In-App/Software Auto-Updaters: If your desktop software or game engine has a built-in updater, it must be secure. This means:
    • Using HTTPS: All update checks and downloads must be over encrypted channels.
    • Code Signing: Updates should be digitally signed by you. The software should verify this signature before installing to ensure authenticity and integrity (that it genuinely came from you and hasn't been tampered with).
  • Secure Download Locations: If users download updates manually from your website, ensure the site uses HTTPS and that downloads are, again, digitally signed with clear instructions on how users can verify the signature.

Annex I, Part I, point (2c), also mentions that products should, where applicable, have "automatic security updates... enabled as a default setting, with a clear and easy-to-use opt-out mechanism". Recital 56 echoes this for consumer products.

Key Takeway

The CRA requires you to use secure mechanisms to distribute software updates, protecting their authenticity and integrity. For many apps and games, leveraging official app stores or platform services helps, but custom updaters must be robustly secured with encryption and digital signatures.