Hello, I was just thinking the other day about how updates to apps on the app hub are accepted without review (because of course it would be far too much effort for the team to review new and updated apps each time and annoying for developers to have to wait for approval on app updates)
But I was wondering what there is in place to prevent someone uploading a legitimate app, then later pushing an update which includes malicious code?
Hi @plinnegan - great question!
We do review all applications when they are first uploaded to the App Hub. We review functionality, general applicability, performance and security however we aren’t able to do a full certification for every app uploaded, so we don’t make any direct guarantees. The source code should be available for all App Hub applications, and so it is currently the responsibility of system administrators to audit and validate their software supply chain.
When it comes to application updates the situation is the same - as you mentioned, we don’t have the capacity to perform full certifications of initial updates let alone subsequent updates. The source code availability again helps here, as the changes made should be available to the system administrator again.
We are working on mechanisms to enhance application security at the platform level, which will hopefully support granular per-app permissions (similar to when you install a GitHub application) and sandbox code execution environments. However this is still a bit in the future - if you have particular concerns or ideas about how we can help enhance security in the DHIS2 app ecosystem please let me know, I’d love to get your input!
Hi Austin,
Thanks for the detailed answer! Makes sense that it’s up to the sys admins to review any apps before importing them.
I guess the issue with the source code links is that there is no way to guarantee that’s where the app is coming from? (Unless there is and I am just not aware). As on the app hub you just upload a zip file that could have come from anywhere for the updates. One idea (probably impractical) would be to use the source code link in the app hub, and then have the app hub build from that, then you can be a bit more confident that’s where the app is coming from.
@plinnegan yes, this is an astute observation! We’ve also looked into mechanisms for codesigning, GitHub Actions integrations, or building apps from source to ensure that what’s built matches the source.
Because apps are all javascript, html, and css it’s also possible to inspect the .zip file contents itself to check that it matches what is built from source. There are clearly tradeoffs in terms of security and effort required when doing this for all updates, though.