Call it what you want – code pushing, hot patching – but the concept is the same: a framework that allows apps to be updated by developers AFTER download.
I think we can agree the goal is sound – reduce bugs and crashes. But is this concept – let’s call it a “Live Update Service” safe? If not, can it be made safe? We have a proposal for you.
Please hear us out!
How we got to this point
Historically, delivering a bug fix to iOS end users has required pushing a new version of that app through the App Store approval process. While to your credit, Apple has greatly reduced the time this takes, every minute can be crucial when critical bugs or vulnerabilities need to be addressed. Even 24 hours can be too long to wait. Buggy apps hurt everyone – app developers and end users alike.
This is why Live Update Services such as Rollout and Microsoft’s CodePush were created. Both allow app developers to push bug fixes or minor modifications to end users immediately. Rollout works with Obj-C / Swift apps and CodePush works with Cordova and React Native apps.
Today, thousands of apps used by billions of people, including some of the most popular apps available, rely on Live Update Services to ensure bugs are squashed and vulnerabilities are closed within minutes of their discovery.
This has been the status quo for several years.
A new chapter begins
Last week you began contacting developers, warning them that any framework or “code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval” is no longer in compliance with its guidelines. Here is the full email and our initial response.
Your letter stated: “Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.”
We believe you have a point! Developers need a way to quickly update their apps to fix bugs and close vulnerabilities – without exposing end-users to additional security risks. And end-users want apps they can trust.
You have been doing a commendable job of ensuring iOS users are provided with a safe, secure and private user experience. Before an app can be downloaded from the App Store and run, it goes through an extremely secure process of signatures and security checks, which you control.
While Rollout and others have protocols in place to prevent MiTM attacks, the fact remains: you cannot ensure the same level of security for solutions that bypass the App Store and directly modify live apps.
That is why we are proposing the following solution for all apps that load JS at runtime, which meets the need of developers to fix issues instantly, while also providing security that is controlled and set by Apple.
We at Rollout believe this solution will address your concerns. We sincerely hope it will be adopted by Apple, SDK companies, and app developers.
The Solution is Simple
Just as full releases require a distribution certificate, developers will obtain a “Live Update Service Certificate” from Apple.
- A developer obtains a “Live Update Service Certificate” from Apple.
- Apple verifies the code was signed with a valid certificate
- Apple examines the code with its code analyzer and approves it..
- Apple strips the existing certificate and re-signs the code with Apple’s own certificate.
- The newly signed code is sent back to the developer.
All these steps can and should be done without human intervention
- The developer sends Apple’s signature to the Live Update Service.
- The Live Update Service sends the both the code and signature to live devices.
- iOS framework authenticates that the code was indeed signed by Apple using their public key.
The Benefits are Clear
- Developers able to use third party vendors like Rollout, Microsoft CodePush and others to fix production issues in real time.
- Apple or the developer can revoke the “Live Update Service Certificate” at any time.
- Apple can examine and analyze all JS code that is pushed (just as in the full app version approval process) and reject it if needed.
- The entire flow is automatic and fast – after all, if it wasn’t, it would defeat the purpose!
We are realistic. We don’t expect you to implement a solution like this immediately. However, we do urge you to consider the benefits of this approach. We at Rollout are committed to partnering with you and with developers to deliver a safe, bug free experience to all.
Co-founder and CTO of Rollout.io