
Show HN: Update Android Apps Dynamically with no User Interaction  - vpanyam
http://blog.vivekpanyam.com/evolve-seamlessly-deploy-android-apps-to-users/?hn
======
yawz
Very interesting. I'll give it a try when I get a chance. However the limiting
factor for a lot of people would be as described in the last section:

 _According to the Google Play Developer Program Policies
([http://play.google.com/about/developer-content-
policy.html](http://play.google.com/about/developer-content-policy.html)), "An
app downloaded from Google Play may not modify, replace or update its own APK
binary code using any method other than Google Play's update mechanism."

This means that Evolve CANNOT be used in apps on Google Play.

Evolve is targeted towards apps not on Google Play and Beta tests. Some of its
intended use cases are enterprise apps (fix security holes without bugging all
your employees) and beta tests (push updates to beta testers instead of
waiting for them to download it)._

------
nathancahill
Bitwse, if you see this, you've been hellbanned for almost 2 years. Which is
too bad, since you've been posting decent comments the whole time.

~~~
toomuchtodo
OT: How hard is it to determine if you've been hellbanned?

~~~
jamesbritt
Create a new accout. Turn on "show dead". Check a post made from your usual
account. Is it dead?

~~~
toomuchtodo
Seems fairly straightforward to automate "Am I dead?" checking .

------
drakaal
This isn't new. It has been known that you can do this for a long while. Doing
so however will get you permanently banned from the Google Play store. It can
get you black listed from Adsense. Not worth the risks unless you are an app
distributed by side loading because you don't qualify for the play store.
[porn, gambling, etc.]

------
jmgao
This is a terrible idea, especially as used as in the examples in the
comments. You think enterprise apps would fix security holes using an updater
that grabs arbitrary code off the internet using http, and does no signature
validation whatsoever?

~~~
vpanyam
It does do signature validation.
[https://github.com/VivekPanyam/EvolveWrapper/blob/master/src...](https://github.com/VivekPanyam/EvolveWrapper/blob/master/src/com/vivekpanyam/TestApp/DynamicApp.java#L64)

The user can use HTTPS if they want to; just put in the appropriate URL. I
updated the example to reflect that.

~~~
jmgao
Signature validation should not be an optional thing that gets done if people
choose to do so. Any sane updater library will mandate it in the library, and
force users to jump through hoops to turn it off.

------
cfolgar
As someone who is new to this side of Android, I find this proof of concept
intriguing and incredibly educational. While it is certainly true that
potential security problems may arise from implementing something like this in
your app, it is good to know that the developer is working hard to iron some
of the problems out. For me, the value in this concept lies in the provided
insight of seeing an app being significantly updated in such a short span of
time with absolutely no interruption to the user.

On another note: lets keep in mind the fact that this was built within 24
hours by a motivated young student at a recent collegiate hackathon (I was
there to see the presentation). It is, after all, a great hack that really
shows the spirit of hacking.

------
markysmarky
Anyone knows how does Google detect that an app is trying to download and run
code remotely? Is it an automatic process done by Google? For example, if I
use this library but don't ever download new code - so that it's not really
used - will it come up on their radar somehow?

Thanks

------
pjmlp
This is just proof of concept, nothing new for those old enough and not usable
in real applications.

------
kefs
Why did you delete the original thread from 2 hours ago?

[https://news.ycombinator.com/item?id=7261583](https://news.ycombinator.com/item?id=7261583)

..and thank you for updating the readme to be more explicit.

~~~
vpanyam
I wasn't signed in with my primary account. And no problem :)

------
Kartificial
Is this what the app by Pokerstars uses? The app is not available in the Play
Store due to the gambling nature of the app, but it checks for updates itself
when opened.

------
hayksaakian
I wish the firefox nightly app would use something like this

I enjoy testing out "fun" (sometimes buggy) features, but I hate going through
the update dialog EVERY DAY.

~~~
icebraining
Odd, Firefox does have a silent updater nowadays. Have you checked if it's
running?

~~~
hayksaakian
Firefox android? Maybe it just works so well I didn't notice it was working at
all....

------
deft
Hey, nice job. I was impressed by this at Pennapps, cool that you did it in
such a short amount of time (even if it's been possible for a long time)

------
abhia
Congrats! Seems like a great way to show your friends your app when starting
off

------
gulbrandr
_An app downloaded from Google Play may not modify, replace or update its own
APK binary code using any method other than Google Play 's update mechanism._

This is ridiculous, Google Play Services does exactly that.

~~~
Drakim
Is Google Play Services downloaded though Google Play?

~~~
gulbrandr
Yes:
[https://play.google.com/store/apps/details?id=com.google.and...](https://play.google.com/store/apps/details?id=com.google.android.gms)

Why the down vote?

