How to submit Updates Over-the-Air ?


#1

I’m trying to understand how publishing OTA updates for my standalone app is working on Expo. i don’t want to generate a public link from which everyone could download my app and see my code etc. I want to keep my app private and want to be the only to be able to download and see the source code.

All the docs i saw about this topic are dealing with publish my project with a public url.

How to do things in a more private way ?

thanks


#2

Hey @mhacker,

We are working on setting up self-hosting so that you would be able to use your own url to serve your code, but it isn’t currently possible. One thing you can do to prevent people from finding your link if you don’t want to share it, is to set the privacy key in your app.json to unlisted. https://docs.expo.io/versions/v29.0.0/workflow/configuration#privacy

That makes it so your project isn’t indexed and can not be found via search.

Cheers,

Adam


#3

One thing I’ve done is I’ve added a handful of randomish characters to my slug. So, we might have “appname-f3b1d475f” as the slug in app.json, in addition to leaving our project unlisted. Thus, it’d be pretty difficult for the average user to stumble upon our app URL just by guessing it.

Primarily this is done not so much for hiding code, but to prevent someone going to the URL, scanning the QR code and running the app in the Expo client, where they would not be getting our full standalone app experience- we want to avoid that support scenario. It doesn’t really offer much in the way of preventing a determined user from seeing a JavaScript bundle, and we’re OK with that. The JS is embedded the in the binary and travels across the network, so it could be sniffed. Even self-hosting the JS couldn’t prevent that. But your code is minimized and obfuscated. It looks indecipherable. This is the case with any interpreted language, and is the same situation for a web app or Cordova app. In other words, if you’re comfortable serving a web page with JavaScript over the internet, an Expo JS bundle is no less protected.


#4

Thanks guys.

Ok so now i understand that i absolutely have to keep my url private to prevent users to open my app in their expo client.

I thinks the @llamaluvr solution is the most suitable for my case. I will add some random characters to make it more difficult to discover.


#5

You’re welcome! Just to be clear, I don’t want to overstate the “problem” of someone opening your app in Expo. Your app will still work there (and a user can only do this on Android now, anyway), it just will miss your branding on the icon, notifications, etc. It’s not particularly likely a user tries this, but we have several thousand users and over a large enough population, it always seems like somebody tries to test limits :-).