Apple, Microsoft to leap on app auto-update bandwagon

Fall updates to iOS, OS X and Windows will automate app patching, another step in removing responsibilities from users

By this fall, Apple and Microsoft will have followed in the footsteps of Google to automatically update apps on their mobile and desktop platforms, another step in the trend to take security out of users' hands.

"This is one of the best things we've seen in security in the last decade," argued Andrew Storms, senior director of development and operations at San Francisco-based CloudPassage. "Historically, we've always relied on the end user to update, and praying that they do so. Auto-updating means that the moment [a new version] is released, the majority has the most secure code available installed."

Google's Android and Chrome OS -- the latter based on the Chrome browser -- automatically update installed apps, silently and in the background, without bothering the user.

Both Apple and Microsoft will mimic Google later this year, when the former ships OS X Mavericks for the Mac and iOS 7 for the iPhone and iPad. Microsoft, too, has committed to app auto-updates, a feature that will debut in Windows 8.1 this fall.

On Windows and OS X, the new approach to app updating applies to just parts of their software ecosystems.

Only Windows Store apps -- those the company calls "Modern" but which many still dub "Metro" -- will auto-update. Older, traditional Windows apps, those that run on the old-school desktop -- will not.

OS X Mavericks is in the same boat: Only apps downloaded and installed through the Mac App Store will update hands-off. Software acquired through other channels -- downloads direct from the developer, for example -- will remain the user's responsibility.

Although legacy applications on Windows and OS X are out of the auto-update loop for now, many applications offer their own auto-updates. And third-party patch managers for enterprises and consumers -- an example of the latter for Windows is Secunia's Personal Software Inspector (PSI) -- are available to fill the gaps.

"The question becomes, how much more can be automated?" said Morten Stengaard, the CTO of Secunia. "Frankly, the more automation the better, because we cannot keep up with all the patches available."

This fall's roll-out of app auto-updating on Windows, OS X and iOS 7 is only the latest in a continuum of similar moves over the years to remove the weak link -- the user -- from the equation, Storms noted.

"What we're seeing is the operating system [makers] putting a stake in the ground, that moving forward, this is the best way to go," said Storms.

Operating systems like Android, Chrome OS, iOS, OS X and Windows have long offered either partial (as in the case of iOS and OS X) or complete (Android, Chrome OS, Windows) auto-updates to provide patches; the Chrome and Firefox browsers have gone to fully-silent updates; Microsoft has enforced auto-upgrades to its Internet Explorer (IE) browser; and the most popular plug-ins and add-ons, such as Adobe's Flash and Oracle's Java, have shifted to a more hands-free model.

Not everyone's enamored by auto-updating. At each point in the years-long trend some have bemoaned the loss of control, arguing that because they own the hardware, they should have the final say over what's dropped on their devices.

"I'd say that that is still a majority of users," said Stengaard. "Most still want to have control."

In most cases, including Windows 8.1 and OS X Mavericks, app auto-update, while switched on by default, can be disabled by the user.

Going forward, Stengaard expects to see a push, at least on Microsoft's part, to assume even more of the burden. "I'd be very surprised if, in three to five years, Microsoft doesn't take over complete responsibility for updating everything on the operating system, at least for consumers," Stengaard said.

"It's good that Microsoft is going in this direction, and certainly what most expect," he added.

This article, Apple, Microsoft to leap on app auto-update bandwagon, was originally published at

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleGoogleMicrosoftsecurityWindowssoftwareMac OS Xoperating systems

More about Adobe SystemsAndrew Corporation (Australia)AppleGoogleMicrosoftOraclePSISecuniaTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place