[SDK] LiveLibs ~ auto-updating code in your apps!

---

LiveLibs is an SDK that you can use in your apps. It allows you to have automatically updating code written in JavaScript. And yes, it'll even pass Marketplace approval. For more info, go here:

LiveLibs.com

Alpha 2 changes:
- Completely changed over from IronRuby to Jurassic (JavaScript) engine
- Improved security (hints and libraries are signed; lib.xml contains more verification data)

(Reserved)

Even though I do respect all the effort you may have put in this project, I'm still not too sure about it. As we've already seen and learned from Android and even iOS there's always the risk of a misuse of such an updating method as unauthorized code can be injected. I rather wait for updates to pass the official certification ways than let my apps update on their own and not knowing what exactly was downloaded.

You are right. With alpha 1 there is a risk of a MitM attack causing apps to download something they shouldn't. However, the framework is already in place to mitigate that - I just haven't had time to implement it fully.

All library ZIP files are signed on the server side with the LiveLibs private key, and the signature is checked by the SDK upon download. Starting with alpha 2, hints will also be signed, which will ensure that erroneous updates are never downloaded.

Also, you don't have to trust the LiveLibs.com site to do the updating. The SDK lets you specify alternate URLs for hints and for libraries.

Just stumbled across this link from your sig. Very cool idea. However, I want to know: have you tested it on a developer-locked phone? Dev-unlock allows the phone to execute code that doesn't have a Microsoft signature (Marketplace apps receive this on all DLLs) but user-replaced or self-compiled binaries won't have that signature. I don't know exactly how your libs worked, but from the look of things (based on your choice of languages) you're looking at monkey-patching the code in place. That's a cool idea, and may well get through Marketplace ingestion, but as soon as the patching is used, you'll have a file without a valid Marketplace signature, and the app won't run anymore...

At least, that's my guess on what would happen. If you can get around that, it would be incredible. That would provide a way to run homebrew code on dev-locked Windows Phones...

The way it worked with IronRuby is the Ruby code was interpreted on the fly. With Jurassic, the JavaScript is compiled into anonymous classes (IIRC from docs/forums on Jurassic.codeplex.com) and executed w/o ever creating separate assemblies. In other words, there's no monkey patching - just live emitted code via Reflection.Emit and similar methods. I'm in the process of getting alpha 2 ready for release now, actually.

Hmm, it's sounds quite interesting! However it's not a way to get an interop-unlock. Also (from the marketing side) it has another cons: an official updates via marketplace for some reasons are increasing number of app customers/downloads (so, good idea - if you have ads-based app - to publish updates at least monthly) but silent, "self-update" I afraid will not.

There's no reason to stop doing proper Marketplace-based updates. The biggest benefit of LiveLibs is the ability to quickly crush bugs instead of having to wait for Marketplace approval while your users complain and give your app bad ratings because of some simple bug.

Quote:

Originally Posted by Arktronic

There's no reason to stop doing proper Marketplace-based updates. The biggest benefit of LiveLibs is the ability to quickly crush bugs instead of having to wait for Marketplace approval while your users complain and give your app bad ratings because of some simple bug.

Agree. But your code also may have a bugs so it's still not an easy decision: should I add that app's overhead or better to spend more time/money for beta-testing

That, my friend, is entirely up to you