Native Update — Features
Native Update is an open-source Capacitor plugin for shipping
over-the-air (OTA) updates, App Store / Play Store update prompts, and
in-app review requests in cross-platform iOS and Android apps.
It bundles three independent modules (Live Update, App Update, App Review)
behind one TypeScript-first API, signs every OTA bundle with RSA or ECDSA,
verifies SHA-256 checksums on download, and supports percentage rollouts
with automatic crash-rollback.
How an OTA update reaches your users
- Install the plugin and configure the update server.
Run
yarn add native-update then call
NativeUpdate.configure({ serverUrl, channel, autoCheck })
on app start. Configuration is locked after this call.
- Generate a signing keypair and register the public key.
Use
native-update keys generate to mint an RSA or ECDSA
pair. Keep the private key in your CI vault; register the public key
on your update server.
- Build, sign, and publish a bundle from CI. The hosted
SaaS or the self-hosted Laravel backend stores the bundle, computes
its SHA-256, and exposes it on the channel manifest.
- The plugin checks for updates on app start. A GET
to
/v1/updates/check returns either a manifest or "no
update". Background checks are configurable.
- Download, verify, and stage the new bundle. Streamed
download to a sandboxed temp directory; checksum + signature verified
before the bundle is ever loaded.
- Apply on next launch with automatic rollback. If the
new bundle crashes during boot, the watchdog restores the prior
known-good bundle on the next start.
Frequently asked questions
Does Native Update bypass App Store or Play Store review for native code?
No. OTA live updates are limited to JavaScript, HTML, CSS, and other
web assets. Native code (Swift, Kotlin) still requires a store
submission; the App Update module helps you push that.
How does the rollback work if a new bundle crashes?
The plugin records the active bundle reference before each launch.
A crash during boot triggers automatic restoration to the prior
known-good bundle on the next start.
What stops an attacker from pushing a malicious bundle?
HTTPS-only update URLs, SHA-256 checksum verification, and RSA /
ECDSA signature verification against a public key compiled into the
app. A bundle that fails any one gate is rejected.
Can I run my own update server?
Yes. The plugin talks to a documented HTTP contract. The Laravel +
Nova reference backend in this repo is the canonical self-host
option; the hosted SaaS runs the same code.
Last updated 2026-05-16. Maintained by Ahsan Mahmood.