Sensitive data is often saved on mobile devices, and this data is sometimes encrypted. The encryption is usually software based, and hardcoded into the data-containing-software. If the software security mechanisms have been breached, all end users of the same software are vulnerable to attack, as the same security mechanisms are used in the end-user software.
Push technology (also known as a “server push”) is a type of Internet-based communication where the request for a given transaction is initiated by a “publisher” or server. It is contrasted with pull technology where the request for transmission of information is initiated by a receiving device or “client.”
Push services are sometimes based upon information preferences expressed in advance. This is referred to as a “publish/subscribe” model. For example, a client might subscribe to one or more information “channels.” The server associated with the channels can then push information to the client when new content becomes available.
There are many types of push services. For example, synchronous conferencing and instant messaging are forms of push services. Increasingly popular are push-enabled web applications including market data distribution (e.g. stock tickers), online chat/messaging systems (e.g. “webchat”), auctions, online betting and gambling, sports results, monitoring consoles and sensor network monitor.
There are also hybrid push/pull systems. For example, email begins as a push system in that the SMTP protocol upon which it is based is a push protocol. However, the last step in the delivery of an email, e.g. from a mail server to a desktop computer, typically uses a pull protocol such as POP3 or IMAP.
Security updates are common features in application residing on the client. Some applications, like anti-virus applications, are updated on a daily or weekly basis. Other applications, and here we refer mainly to software applications for mobile devices (“mobile apps” or “apps”), are updated on per need basis. For example, an email app or a banking app is only updated once every few months. These updates can include new features, revamping of the GUI, fixes to software bugs and security updates.
With a software ‘patch’ or update, in most circumstances, the whole program gets updated. For example, the operation could go as follows: (1) Request updates; (2) Download updated files; and (3) Replace current files with the new downloaded files.
Details how to manage aforementioned operation may vary, because, for example, it might not be possible to delete an executable file of a running process, so some form of a workaround may be needed (e.g. run the updater as a separate program instead of the main application or something similar). It could also be possible to simply apply the actual changes between the old file and the new file, instead of downloading the whole file.
There are many different ways to implement a patch or update, but with all the variations, the same basic method is followed, whereby the update process is initiated by the client. The server may send a notification that an update is available, but the client has to request the update or approve the offered update. It is well known that many users ignore the notification to update software, at least for some period of time.
Hackers can exploit the vulnerability between the time the security mechanism or encryption is “hacked” and when the next update is sent and, more importantly, installed on the client device.