27 comments

[ 4.7 ms ] story [ 64.7 ms ] thread
Very interesting. I'll give it a try when I get a chance. However the limiting factor for a lot of people would be as described in the last section:

According to the Google Play Developer Program Policies (http://play.google.com/about/developer-content-policy.html), "An app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play's update mechanism."

This means that Evolve CANNOT be used in apps on Google Play.

Evolve is targeted towards apps not on Google Play and Beta tests. Some of its intended use cases are enterprise apps (fix security holes without bugging all your employees) and beta tests (push updates to beta testers instead of waiting for them to download it).

Had the chance to see this at PennApps and was very impressed with how seamless the whole thing was on the user side. Hope this project picks up some steam because I really think android would benefit greatly from such an easy update system like this.
This isn't new. It has been known that you can do this for a long while. Doing so however will get you permanently banned from the Google Play store. It can get you black listed from Adsense. Not worth the risks unless you are an app distributed by side loading because you don't qualify for the play store. [porn, gambling, etc.]
Bitwse, if you see this, you've been hellbanned for almost 2 years. Which is too bad, since you've been posting decent comments the whole time.
OT: How hard is it to determine if you've been hellbanned?
Create a new accout. Turn on "show dead". Check a post made from your usual account. Is it dead?
Seems fairly straightforward to automate "Am I dead?" checking .
They don't take IP addresses into consideration?
first you need to become suspicious. that's the hard part. then just use a different browser to (not) see your recent posts. it's really hostile...
This is a terrible idea, especially as used as in the examples in the comments. You think enterprise apps would fix security holes using an updater that grabs arbitrary code off the internet using http, and does no signature validation whatsoever?
It does do signature validation. https://github.com/VivekPanyam/EvolveWrapper/blob/master/src...

The user can use HTTPS if they want to; just put in the appropriate URL. I updated the example to reflect that.

Signature validation should not be an optional thing that gets done if people choose to do so. Any sane updater library will mandate it in the library, and force users to jump through hoops to turn it off.
Hmm. From my understanding, PackageInfo.signature is an Array of public keys used to Sign the app. Not sure of comparing the public keys can be considered as signature verification.
This is just proof of concept, nothing new for those old enough and not usable in real applications.
Congrats! Seems like a great way to show your friends your app when starting off
As someone who is new to this side of Android, I find this proof of concept intriguing and incredibly educational. While it is certainly true that potential security problems may arise from implementing something like this in your app, it is good to know that the developer is working hard to iron some of the problems out. For me, the value in this concept lies in the provided insight of seeing an app being significantly updated in such a short span of time with absolutely no interruption to the user.

On another note: lets keep in mind the fact that this was built within 24 hours by a motivated young student at a recent collegiate hackathon (I was there to see the presentation). It is, after all, a great hack that really shows the spirit of hacking.

I wish the firefox nightly app would use something like this

I enjoy testing out "fun" (sometimes buggy) features, but I hate going through the update dialog EVERY DAY.

Odd, Firefox does have a silent updater nowadays. Have you checked if it's running?
Firefox android? Maybe it just works so well I didn't notice it was working at all....
Hey, nice job. I was impressed by this at Pennapps, cool that you did it in such a short amount of time (even if it's been possible for a long time)
Is this what the app by Pokerstars uses? The app is not available in the Play Store due to the gambling nature of the app, but it checks for updates itself when opened.
Anyone knows how does Google detect that an app is trying to download and run code remotely? Is it an automatic process done by Google? For example, if I use this library but don't ever download new code - so that it's not really used - will it come up on their radar somehow?

Thanks