0

I realize that this is sort of a broad and perhaps vague question, but I'm looking for some common strategies for self-updating an app in android (not via Google Play, but directly from the application itself). Perhaps I could embed the actual app's APK within another APK which does the updating, but then (1) could the updater even modify itself while it's running and (2) more generally, how might one prevent another (supposedly malicious) app from modifying the updater? Any tips, links, or thoughts on the matter would be greatly appreciated!

SeaBass
  • 121
  • 1
  • 10

2 Answers2

4

I'm looking for some common strategies for self-updating an app in android

There is really only one strategy that I can think of:

Step #1: Determine that an update is available (e.g., monitor some URL for latest-version info)

Step #2: Download the update

Step #3: Kick off the install using ACTION_VIEW or ACTION_INSTALL_PACKAGE (latter available on API Level 14+), at some point when the user requests it, since the user will need to approve the update

could the updater even modify itself while it's running

The app being updated will have its process stopped during the update.

how might one prevent another (supposedly malicious) app from modifying the updater?

The update has to be signed by the same signing key as signed the original version, no different than via distribution through the Play Store. Hence, protect your signing key with your life (or perhaps with somebody else's life, if there's anyone around wearing a red shirt).

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
  • [Keep your red shirt on](http://www.significancemagazine.org/details/webexclusive/4381371/Keep-your-redshirt-on-a-Bayesian-exploration.html) – Geobits Sep 17 '13 at 14:44
  • Thanks CommonsWare, that pretty much answers my question! – SeaBass Sep 17 '13 at 19:54
  • 1
    @SeaBass: That's great! I would really hate for you to [be ill-tempered](http://www.imdb.com/title/tt0118655/quotes?item=qt0367888). :-) – CommonsWare Sep 17 '13 at 19:58
4

One thing to be aware of is that Google doesn't like this sort of behavior at all. Google bans self-updating Android apps...

Google has now changed the Google Play store polices in an apparent attempt to avoid Facebook-like end runs around store-delivered updates. Under the "Dangerous Products" section of the Google Play developer policies, Google now states that "[a]n app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play's update mechanism." A Droid-Life article says the language update occurred Thursday. APK (standing for application package file) is the file format used to install applications on Android.

I'm not sure if your app is or will ever be on Google Play, but if so I'd advise against doing this, as it could jeopardize your developer account.

Prmths
  • 2,022
  • 4
  • 21
  • 38
  • 1
    Can't be true, because all of the #1 games on the app store patch themselves without involving the play store at all. They patch themselves totally in-app, using in-app progress bars, in-app messages ("Applying patches", "Recompiling shaders", "Installing new assets"), etc. – Leng Jan 11 '22 at 00:29