Sparkle Vulnerability: Who’s in Danger and What to Do

We’ve been mildly avalanched with our customers’ questions about the recent Sparkle vulnerability issue. Before we get any deeper into the subject, we’d like to assure all DevMate users — you are completely safe. DevMate meets all ATS requirements and is fully protected from man-in-the-middle attacks.

Now, to the trouble itself. As a security researcher Radek discovered in late January, apps using one of Sparkle versions can be hijacked. For app developers, the issue lies in using both the vulnerable version of the framework and an unencrypted HTTP protocol. The gap in security allows delivery of malicious code to end users.

A whole series of popular apps have been diagnosed with the threat, like uTorrent, Camtasia, and even Sketch. Naturally, the news were picked up quickly, causing a scare amongst users and Mac devs. We recommend declining all update requests from any apps and contacting their support to see if the problem has been fixed by now.

If you’re a Mac developer using Sparkle and looking to secure your app:

  1. Make sure you’ve implemented HTTPS protocol.
  2. Update Sparkle to the latest fixed version.
  3. Roll out your updated app version to your users.
  4. Try the DevMate platform instead of using Sparkle on your own: it’s much safer and keeps you protected from issues like this.