Hot code push

this is really great, but i was concerned about one thing, if you can modify the code and store it, wouldn’t it be editable for hacks, the kind give you infinite lifes on candy crush and etc…

so talking about security it seems like would make your app really not safe, unless you only cache on memory and download again always you use the app (only in the mean time before store accept your app subimission, and the user finally download it)

he wouldn’t even need to make some sort of sql injection for make your page fill bug, he would just have to change the new files, since it’s not yet build and it’s only data, he will only need make this on the local page…

or there is anything i’m missing?

1 Like

Hi

Due to your security concerns:
If a bad guy wants to change the source code of the app its always possible ( native or hybrid ) . Therefore you have to add several layers of security to your application stack

If he changes the source code it affects only his own installation. To change the code for all users the attacker has to hack the server

App ( hybrid )

Make heavy use of minification and obfuscation. There are a lot of tools out there. This will make it harder for an attacker to understand your code

Do not store any sensitve data in plain text . Use crypto libs / plugins . For instance instead of storing a password, just save the hash

Save only required data ( http://martinfowler.com/bliki/Datensparsamkeit.html )

Implement a secure communication channel to your backend

Backend

Never ever trust the data from the frontend, validate !
Use a well known auth strategy

App Update on the fly

Use hash codes for every file -> now its possible to check if the file was modified during download phase
Secure your update server
Use a PKI, Certs, ets to ensure you talking to the right server
Keep the server simple and stupid, the server serves only static files ( the updated files). No need for database, scripting support, etc --> Reduces the number of attack vectors

Regards

1 Like

I followed steps in http://blog.peterkim.co/tutorial-how-to-add-onthefly-updates-to-a-hybrid-app and it works great on iOS. But the app is not starting up ( does not get the $ionicPlatform.ready event) on Android.

Any ideas why that might be happening?

I tested this with the default starter app which is part of the ionicframework.

Android Version: 5.1.1
Cordova version: 5.0.0
Ionic version: 1.0.0

https://github.com/nordnet/cordova-hot-code-push

Yesterday we released our, previously internal, approach to doing hot code push for hybrid apps as an Open Source native cordova plugin for iOS and Android. It should work well with any cordova/phonegap based app, with or without Ionic framework.
We would welcome your feedback.

3 Likes