Live-update mobile without going through app stores

[quinthar]

One of the most amazing features of RN is the ability to "live edit" without going through the app store. If we can do that, that would be truly amazing as it means we only need to go to the app store when we are doing a "major new feature" (though even that is just advisory, there's no actual technical requirement for that).

[AndrewGable]

From my research it looked like CodePush was the most widely used and my personal suggested platform to do this

[Julesssss]

@quinthar @AndrewGable

After looking into CodePush I'm a not convinced that out-of app store updates are possible. Maybe AppCenter have discovered a workaround, but I believe that remote mobile app updates are not possible when distributing through the App Store/Play Store -- it is seen as an exploit that entirely skips the app review process.

Here's a warning from AppCenter: Compatibility with App Stores

Google Play

Note that Google can consider in-app update code as malicious behaviour even if it isn't used at runtime. We recommend you to strip this code from your application before submitting it to Google Play.

App Store

If the application is installed from the App Store or TestFlight, in-app updates are not available, and checking for new versions will be disabled.

I'm struggling to find information to confirm this rule, but I think paragraph 3.3.2 in the Apple developer guideline refers to this.

It seems like full CodePush remote update functionality is only possible if we distribute outside of the App Store / Play Store? Maybe minor javascript pushes are allowed for apps distributed within the stores, but I'm struggling to verify this.

[Julesssss]

So, the Code Push Github readme suggests compatibility with the stores, but I'm still confused as to why App Center provides the above warning.

[tgolen]

I'm not sure how some apps do that then... For example, I started playing EVE Echoes. When the game starts, it checks for updates from the server, then says it's updating and forces you to restart the app. I've seen this on many other MMO games (like Clash of Clans) as well where they download executable code on launch. How are they able to get around that?

[tgolen]

Oh, I think that's OK because it doesn't change the intended and advertised purpose of the app. So it sounds like we would be fine then. I think they're just trying to prevent malicious intent like installing bitcoin mining code.

[roryabraham]

When the game starts, it checks for updates from the server, then says it's updating and forces you to restart the app.

This is my (unverified) theory: I think it's probably just downloading updated application data from their servers, (updated character stat configurations or whatever), not necessarily executable code. Then probably just restarting because the parameters of the game are tightly coupled with the app boot/initialization process.

Maybe we could employ a similar technique to basically send a flag that the application needs to be updated, then just display a push notification and/or modal dialog enabling a user to manually update the app (but they would still have the option of saying yes/no), and would still have to wait for the update.

I think that's OK because it doesn't change the intended and advertised purpose of the app. So it sounds like we would be fine then

I'm not sure I read it the same way. It says

The only exceptions to the foregoing are scripts and code downloaded and run by Apple's built-in Webkit framework or the JavascriptCore

So any of our code would probably be subject to this limitation:

an Application may not download or install executable code

[tgolen]

The only exceptions to the foregoing are scripts and code downloaded and run by Apple's built-in Webkit framework or the JavascriptCore

Aren't our scripts that are downloaded ran by the JavaScript core? (I honestly don't know, but that's kind of what I was assuming... I don't really know what JavaScript core is)

[quinthar]

let's not worried about getting blocked. If we do, then we stop. But let's go forward on the assumption that we can safely do background updates so long as they are minimal in nature.

On Fri, Aug 21, 2020 at 2:06 PM Tim Golen notifications@github.com wrote:

The only exceptions to the foregoing are scripts and code downloaded and run by Apple's built-in Webkit framework or the JavascriptCore

Aren't our scripts that are downloaded ran by the JavaScript core? (I honestly don't know, but that's kind of what I was assuming... I don't really know what JavaScript core is)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Expensify/ReactNativeChat/issues/257#issuecomment-678496680, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEMNUWWHF6SVWKI5ZAJUGDSB3OTZANCNFSM4QFNMHFQ .

[jboniface]

Do we need this issue? It looks like it duplicates the "auto-update for [x platform]" issues, but maybe I'm misunderstanding?

[quinthar]

They're different. The others are about how to upgrade using the platform store (ie, App Store, Google Play) -- this is about how to update independent of those.

On Fri, Aug 28, 2020 at 10:49 AM Jeremy Boniface notifications@github.com wrote:

Do we need this issue? It looks like it duplicates the "auto-update for [x platform]" issues.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Expensify/ReactNativeChat/issues/257#issuecomment-682988802, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEMNUQT7ATT6EBR2DHUXXTSC7U4DANCNFSM4QFNMHFQ .

[jboniface]

Ah, I was never here

[quinthar]

ah, I think we should demote this -- it was critical based on a previous scheme, but isn't even part of the milestone. I don't think this is required for us to switch to DMs.

[quinthar]

I don't think this is necessary for DMs, removing from the milestone.

[AndrewGable]

Agreed that we should just try to use CodePush and deal with any backlash from the AppStore in stride. @Julesssss - Happy to help with this one if you get stuck and/or need any credentials.

[AndrewGable]

Going to look into this one after the POC/DMs are done.

[roryabraham]

I think now is as good a time as any to reopen this investigation

[roryabraham]

I'm not sure I'll ever get around to this. I'm going to unassign myself and let it decay unless someone else wants to work on it.

[MelvinBot]

@quinthar, this Monthly task hasn't been acted upon in 6 weeks; closing.

If you disagree, feel encouraged to reopen it -- but pick your least important issue to close instead.