Security

Rollout was designed from the ground up to have the strictest security guidelines, from the first step of creating a patch, to the final step of applying a patch on the user’s device.

Technical information about Rollout’s security can be found on our security page.
Enterprise customers can read more about security for on-premise customers.

Creating a Patch

  • Add our SDK
    Step 1

    Configure the Patch

    The app developer configures a patch in Rollout’s dashboard.

  • Rollout analyzes your code
    Step 2

    Sign the Patch

    The patch file is signed with Rollout's private key, using 2048 bit RSA encryption.

  • Deploy your app
    Step 3

    Signed Patch is Stored in the Cloud

    The signed patch is stored on secure servers in Amazon’s data centers.

request request-fetch fetch

The Patch is Deployed

When the app is started or when the app enters foreground, the SDK fetches the patch over a secure connection from Rollout’s backend.

The SDK then validates the signature and only applies a patch if the signature is valid. If the patch isn’t signed correctly, the SDK will reject it.





Frequently Asked Questions

 

Does Rollout comply to Apple’s Guidelines?
Yes. As per Apple’s official guidelines, Rollout.io does NOT alter binaries. Rollout uses JavascriptCore to add logic to your patches. For more details, check out how Rollout is compliant with App Store guidelines.
With over 37 million devices already running our SDK, it is safe to say that Rollout is completely aligned with Apple’s development and App Store guidelines.
Will Rollout impact my app’s performance?
No. We built Rollout with performance in mind. We took extra precautions to make sure there are no performance penalties for using our SDK. Our SDK is asynchronous, so there is no impact to startup performance. Furthermore, when you apply a patch to a certain function, we only change the runtime (Swizzle) of that function. With regards to file size, the overall app size increase shouldn’t be more than 1-2M. Having said that, we still are constantly working to reduce the footprint of our SDK.
Will Rollout compromise my app’s security?
No. From day one, Rollout has been designed and built following strict security guidelines. All communication is encrypted (SSL) and app updates are signed using 2048 bit RSA keys (private and public). In addition, Rollout allows you to remotely disable the SDK from your own code. The SDK does not change your app’s runtime unless you have added a patch to a method; and even then, only the specific method runtime is changed. We already have a few more security features in the pipeline:

  • Two-Factor authentication
  • Audit logs
Will Rollout affect my app’s normal networking requests?
No. While your app is in production, Rollout only makes one request every time your application is launched or goes into foreground. The data that is retrieved is small – about 1KB.