Very interesting. I'll give it a try when I get a chance.
However the limiting factor for a lot of people would be as described in the last section:
According to the Google Play Developer Program Policies (http://play.google.com/about/developer-content-policy.html), "An app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play's update mechanism."
This means that Evolve CANNOT be used in apps on Google Play.
Evolve is targeted towards apps not on Google Play and Beta tests. Some of its intended use cases are enterprise apps (fix security holes without bugging all your employees) and beta tests (push updates to beta testers instead of waiting for them to download it).
Had the chance to see this at PennApps and was very impressed with how seamless the whole thing was on the user side. Hope this project picks up some steam because I really think android would benefit greatly from such an easy update system like this.
This isn't new. It has been known that you can do this for a long while. Doing so however will get you permanently banned from the Google Play store. It can get you black listed from Adsense. Not worth the risks unless you are an app distributed by side loading because you don't qualify for the play store. [porn, gambling, etc.]
This is a terrible idea, especially as used as in the examples in the comments. You think enterprise apps would fix security holes using an updater that grabs arbitrary code off the internet using http, and does no signature validation whatsoever?
Signature validation should not be an optional thing that gets done if people choose to do so. Any sane updater library will mandate it in the library, and force users to jump through hoops to turn it off.
Hmm. From my understanding, PackageInfo.signature is an Array of public keys used to Sign the app. Not sure of comparing the public keys can be considered as signature verification.
As someone who is new to this side of Android, I find this proof of concept intriguing and incredibly educational. While it is certainly true that potential security problems may arise from implementing something like this in your app, it is good to know that the developer is working hard to iron some of the problems out. For me, the value in this concept lies in the provided insight of seeing an app being significantly updated in such a short span of time with absolutely no interruption to the user.
On another note: lets keep in mind the fact that this was built within 24 hours by a motivated young student at a recent collegiate hackathon (I was there to see the presentation). It is, after all, a great hack that really shows the spirit of hacking.
An app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play's update mechanism.
This is ridiculous, Google Play Services does exactly that.
Is this what the app by Pokerstars uses? The app is not available in the Play Store due to the gambling nature of the app, but it checks for updates itself when opened.
Anyone knows how does Google detect that an app is trying to download and run code remotely? Is it an automatic process done by Google?
For example, if I use this library but don't ever download new code - so that it's not really used - will it come up on their radar somehow?
27 comments
[ 4.7 ms ] story [ 64.7 ms ] threadAccording to the Google Play Developer Program Policies (http://play.google.com/about/developer-content-policy.html), "An app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play's update mechanism."
This means that Evolve CANNOT be used in apps on Google Play.
Evolve is targeted towards apps not on Google Play and Beta tests. Some of its intended use cases are enterprise apps (fix security holes without bugging all your employees) and beta tests (push updates to beta testers instead of waiting for them to download it).
https://news.ycombinator.com/item?id=7261583
..and thank you for updating the readme to be more explicit.
The user can use HTTPS if they want to; just put in the appropriate URL. I updated the example to reflect that.
On another note: lets keep in mind the fact that this was built within 24 hours by a motivated young student at a recent collegiate hackathon (I was there to see the presentation). It is, after all, a great hack that really shows the spirit of hacking.
I enjoy testing out "fun" (sometimes buggy) features, but I hate going through the update dialog EVERY DAY.
This is ridiculous, Google Play Services does exactly that.
Why the down vote?
Thanks