native-update 1.4.8 → 2.0.0

package/ios/Plugin/LiveUpdate/LiveUpdatePlugin.swift

@@ -11,6 +11,15 @@ class LiveUpdatePlugin {
     private var session: URLSession!
     private var downloadTask: URLSessionDownloadTask?
     private let securityManager = SecurityManager()
+
+    // UserDefaults keys for the A2 (boot-time re-verify) and A3
+    // (crash-loop auto-rollback) defenses. Mirrors the Android constants
+    // in LiveUpdatePlugin.kt so the two platforms stay in lockstep.
+    private static let activeBundleKey = "native_update_active_bundle"
+    private static let previousBundleKey = "native_update_previous_active_bundle"
+    private static let pendingBundleKey = "native_update_pending_verify_bundle"
+    private static let pendingAttemptsKey = "native_update_pending_verify_attempts"
+    private static let maxPendingAttempts = 2
     
     init(plugin: CAPPlugin) {
         self.plugin = plugin
@@ -156,8 +165,10 @@ class LiveUpdatePlugin {
                     }
                 }
                 
-                // Create bundle info
-                let bundleInfo: [String: Any] = [
+                // Create bundle info. Persist the signature so the
+                // boot-time re-verify (verifyActiveBundleOnBoot) can run
+                // without needing to re-download.
+                var bundleInfo: [String: Any] = [
                     "bundleId": bundleId,
                     "version": version,
                     "path": downloadedFile.path,
@@ -167,6 +178,9 @@ class LiveUpdatePlugin {
                     "checksum": checksum,
                     "verified": true
                 ]
+                if let signature = call.getString("signature") {
+                    bundleInfo["signature"] = signature
+                }
                 
                 // Save bundle info
                 saveBundleInfo(bundleInfo)
@@ -467,7 +481,22 @@ class LiveUpdatePlugin {
     }
     
     private func setActiveBundle(_ bundleId: String) {
-        UserDefaults.standard.set(bundleId, forKey: "native_update_active_bundle")
+        let defaults = UserDefaults.standard
+        let currentActive = defaults.string(forKey: Self.activeBundleKey)
+
+        defaults.set(bundleId, forKey: Self.activeBundleKey)
+
+        // Preserve the previous active bundle as a rollback target. Skip
+        // self-activation so we don't nuke a real previous-bundle pointer.
+        if let previous = currentActive, previous != bundleId {
+            defaults.set(previous, forKey: Self.previousBundleKey)
+        }
+
+        // Mark this activation as pending-verify. notifyAppReady() clears
+        // it; otherwise the next cold start counts against the bundle and
+        // eventually rolls back to the previous known-good bundle.
+        defaults.set(bundleId, forKey: Self.pendingBundleKey)
+        defaults.set(0, forKey: Self.pendingAttemptsKey)
     }
     
     private func clearAllBundles() {
@@ -542,7 +571,142 @@ class LiveUpdatePlugin {
     }
     
     private func markBundleAsVerified() {
-        UserDefaults.standard.set(true, forKey: "native_update_current_bundle_verified")
+        // notifyAppReady() is the host app's "I booted clean on this bundle"
+        // signal. Clear the pending-verify state so cold starts after this
+        // no longer count against the bundle.
+        let defaults = UserDefaults.standard
+        defaults.set(true, forKey: "native_update_current_bundle_verified")
+        defaults.removeObject(forKey: Self.pendingBundleKey)
+        defaults.removeObject(forKey: Self.pendingAttemptsKey)
+    }
+
+    /// Called from NativeUpdatePlugin.load() on every cold start. Runs two
+    /// independent defenses, both silent when no OTA bundle is active:
+    ///
+    ///   A2 — re-hash the active bundle and verify it still matches the
+    ///        checksum stored at install time. If signature + publicKey are
+    ///        configured, also re-verify the signature. Catches on-disk
+    ///        tampering on jailbroken devices.
+    ///   A3 — if the active bundle was never confirmed by notifyAppReady()
+    ///        on the previous launch, treat this cold start as a failed
+    ///        boot. After maxPendingAttempts failures, rollback to the
+    ///        previous known-good bundle to break the crash loop.
+    ///
+    /// On any failure the method rolls back and fires an
+    /// updateStateChanged event with status "ROLLBACK" so the host app
+    /// and analytics layer can observe it.
+    func verifyActiveBundleOnBoot() {
+        let defaults = UserDefaults.standard
+
+        // A3: crash-loop detection.
+        if let pendingBundleId = defaults.string(forKey: Self.pendingBundleKey) {
+            let nextAttempt = defaults.integer(forKey: Self.pendingAttemptsKey) + 1
+            if nextAttempt > Self.maxPendingAttempts {
+                rollbackToPrevious(
+                    reason: "auto-rollback after \(nextAttempt) failed cold starts",
+                    fromBundleId: pendingBundleId
+                )
+                defaults.removeObject(forKey: Self.pendingBundleKey)
+                defaults.removeObject(forKey: Self.pendingAttemptsKey)
+                return
+            }
+            defaults.set(nextAttempt, forKey: Self.pendingAttemptsKey)
+        }
+
+        // A2: integrity re-verify. Only for non-default active bundles.
+        guard let activeBundleId = defaults.string(forKey: Self.activeBundleKey),
+              activeBundleId != "default" else {
+            return
+        }
+
+        guard let bundleInfo = getBundleInfoById(activeBundleId) else {
+            rollbackToPrevious(
+                reason: "active bundle info missing from UserDefaults",
+                fromBundleId: activeBundleId
+            )
+            return
+        }
+
+        guard let bundlePath = bundleInfo["path"] as? String, !bundlePath.isEmpty,
+              let expectedChecksum = bundleInfo["checksum"] as? String, !expectedChecksum.isEmpty else {
+            return
+        }
+
+        let bundleURL = URL(fileURLWithPath: bundlePath)
+        guard FileManager.default.fileExists(atPath: bundlePath) else {
+            rollbackToPrevious(
+                reason: "bundle file missing on disk",
+                fromBundleId: activeBundleId
+            )
+            return
+        }
+
+        do {
+            let actualChecksum = try calculateChecksum(for: bundleURL)
+            if actualChecksum != expectedChecksum {
+                rollbackToPrevious(
+                    reason: "bundle checksum mismatch on boot",
+                    fromBundleId: activeBundleId
+                )
+                return
+            }
+        } catch {
+            rollbackToPrevious(
+                reason: "bundle checksum computation failed: \(error.localizedDescription)",
+                fromBundleId: activeBundleId
+            )
+            return
+        }
+
+        // Signature re-verify when both a signature and a public key are
+        // available. Absence of either is treated as "not configured" and
+        // skipped — Phase A1 already enforces fail-closed at download time.
+        if let signature = bundleInfo["signature"] as? String, !signature.isEmpty,
+           let publicKey = (config?["security"] as? [String: Any])?["publicKey"] as? String,
+           !publicKey.isEmpty {
+            do {
+                let bytes = try Data(contentsOf: bundleURL)
+                if !securityManager.verifySignature(
+                    data: bytes,
+                    signature: signature,
+                    publicKeyString: publicKey
+                ) {
+                    rollbackToPrevious(
+                        reason: "bundle signature mismatch on boot",
+                        fromBundleId: activeBundleId
+                    )
+                }
+            } catch {
+                rollbackToPrevious(
+                    reason: "bundle signature check failed: \(error.localizedDescription)",
+                    fromBundleId: activeBundleId
+                )
+            }
+        }
+    }
+
+    private func rollbackToPrevious(reason: String, fromBundleId: String) {
+        let defaults = UserDefaults.standard
+        let previous = defaults.string(forKey: Self.previousBundleKey)
+        if let previous = previous {
+            defaults.set(previous, forKey: Self.activeBundleKey)
+        } else {
+            defaults.removeObject(forKey: Self.activeBundleKey)
+        }
+        defaults.removeObject(forKey: Self.previousBundleKey)
+
+        stateChangeListener?([
+            "status": "ROLLBACK",
+            "bundleId": fromBundleId,
+            "rolledBackTo": previous ?? "default",
+            "reason": reason
+        ])
+    }
+
+    private func getBundleInfoById(_ bundleId: String) -> [String: Any]? {
+        let defaults = UserDefaults.standard
+        let bundles = defaults.dictionary(forKey: "native_update_bundles") ?? [:]
+        return bundles[bundleId] as? [String: Any]
     }
     
     // MARK: - Bundle Extraction and WebView Configuration
@@ -574,14 +738,80 @@ class LiveUpdatePlugin {
         }
     }
     
+    /// Hard cap on total uncompressed size of an OTA bundle. Protects
+    /// against zip-bombs (a small zip that expands to gigabytes and fills
+    /// the device). Chosen as 5x the default 100MB downloaded-bundle limit
+    /// — enough headroom for typical web-app bundles after minification
+    /// reverses, below a threshold that would be hostile on mobile.
+    private static let maxUncompressedBundleBytes: UInt64 = 500 * 1024 * 1024
+
     private func extractZipBundle(from zipUrl: URL, to destinationUrl: URL) throws {
-        // Ensure destination directory exists
+        // Ensure destination directory exists.
         try FileManager.default.createDirectory(at: destinationUrl, withIntermediateDirectories: true, attributes: nil)
 
-        // Extract the ZIP archive using ZIPFoundation
+        // Inspect every entry before extracting anything. Three defenses:
+        //   1. zip-slip — an entry whose destination path resolves outside
+        //      the intended directory would let a malicious bundle write
+        //      over any file in the app sandbox (e.g. overwriting
+        //      built-in code) when unzipItem later runs.
+        //   2. symlink attack — symlinks in the archive can redirect
+        //      subsequent writes outside the sandbox even if the entry
+        //      itself resolves cleanly.
+        //   3. zip-bomb — sum of uncompressed sizes capped; refuses to
+        //      extract an archive that would exhaust device storage.
+        guard let archive = Archive(url: zipUrl, accessMode: .read) else {
+            throw NSError(domain: "LiveUpdatePlugin", code: 7, userInfo: [
+                NSLocalizedDescriptionKey: "Could not open bundle archive for inspection"
+            ])
+        }
+
+        let canonicalDestination = destinationUrl
+            .standardizedFileURL
+            .resolvingSymlinksInPath()
+            .path
+        let destinationPrefix = canonicalDestination.hasSuffix("/")
+            ? canonicalDestination
+            : canonicalDestination + "/"
+
+        var totalUncompressed: UInt64 = 0
+
+        for entry in archive {
+            if entry.type == .symlink {
+                throw NSError(domain: "LiveUpdatePlugin", code: 8, userInfo: [
+                    NSLocalizedDescriptionKey: "Bundle contains symlink entry (refused): \(entry.path)"
+                ])
+            }
+
+            if entry.path.hasPrefix("/") {
+                throw NSError(domain: "LiveUpdatePlugin", code: 9, userInfo: [
+                    NSLocalizedDescriptionKey: "Bundle entry has absolute path (refused): \(entry.path)"
+                ])
+            }
+
+            let entryURL = destinationUrl
+                .appendingPathComponent(entry.path)
+                .standardizedFileURL
+            let entryPath = entryURL.resolvingSymlinksInPath().path
+
+            if entryPath != canonicalDestination && !entryPath.hasPrefix(destinationPrefix) {
+                throw NSError(domain: "LiveUpdatePlugin", code: 10, userInfo: [
+                    NSLocalizedDescriptionKey: "Bundle entry escapes destination (zip-slip refused): \(entry.path)"
+                ])
+            }
+
+            let (newTotal, overflow) = totalUncompressed.addingReportingOverflow(entry.uncompressedSize)
+            if overflow || newTotal > Self.maxUncompressedBundleBytes {
+                throw NSError(domain: "LiveUpdatePlugin", code: 11, userInfo: [
+                    NSLocalizedDescriptionKey: "Bundle exceeds maximum uncompressed size (\(Self.maxUncompressedBundleBytes) bytes) — possible zip-bomb"
+                ])
+            }
+            totalUncompressed = newTotal
+        }
+
+        // All entries passed inspection — safe to extract.
         try FileManager.default.unzipItem(at: zipUrl, to: destinationUrl)
 
-        // Verify extraction succeeded by checking for index.html
+        // Verify extraction succeeded by checking for index.html.
         let indexPath = destinationUrl.appendingPathComponent("index.html")
         guard FileManager.default.fileExists(atPath: indexPath.path) else {
             throw NSError(domain: "LiveUpdatePlugin", code: 6, userInfo: [
@@ -589,7 +819,7 @@ class LiveUpdatePlugin {
             ])
         }
 
-        // Clean up the ZIP file after successful extraction
+        // Clean up the ZIP file after successful extraction.
         try? FileManager.default.removeItem(at: zipUrl)
     }
     

package/ios/Plugin/NativeUpdatePlugin.swift

@@ -33,6 +33,14 @@ public class NativeUpdatePlugin: CAPPlugin {
         appUpdatePlugin.setEventListener { [weak self] eventName, data in
             self?.notifyListeners(eventName, data: data)
         }
+
+        // Boot-time integrity re-verify + crash-loop auto-rollback. Runs
+        // before any host-app code touches the WebView so a tampered or
+        // crash-looping bundle never gets a chance to load. Signature
+        // re-verify runs again after configure() when the publicKey
+        // arrives from the host app; checksum re-verify here is
+        // sufficient to catch most tampering.
+        liveUpdatePlugin.verifyActiveBundleOnBoot()
     }
     
     @objc func initialize(_ call: CAPPluginCall) {

package/ios/Plugin/Security/SecurityManager.swift

@@ -25,7 +25,8 @@ class SecurityManager {
                 "pins": getCertificatePins()
             ],
             "validateInputs": config?["validateInputs"] as? Bool ?? true,
-            "secureStorage": config?["secureStorage"] as? Bool ?? true
+            // Hard-coded true since v2 — secure storage is no longer opt-out.
+            "secureStorage": true
         ]
     }
     
@@ -142,21 +143,17 @@ class SecurityManager {
         return digest.map { String(format: "%02x", $0) }.joined()
     }
     
+    /// Writes always land in the Keychain since v2. The old
+    /// `secureStorage: false` opt-out was removed because the default
+    /// ran in plaintext UserDefaults unless a host app explicitly opted
+    /// in — which meant most integrations stored API keys in a trivially
+    /// readable location. See matching change in SecurityManager.kt.
     func saveSecureData(key: String, value: String) {
-        if isSecureStorageEnabled() {
-            keychain.set(value, forKey: key)
-        } else {
-            // Fallback to UserDefaults (not recommended)
-            UserDefaults.standard.set(value, forKey: key)
-        }
+        keychain.set(value, forKey: key)
     }
-    
+
     func getSecureData(key: String) -> String? {
-        if isSecureStorageEnabled() {
-            return keychain.string(forKey: key)
-        } else {
-            return UserDefaults.standard.string(forKey: key)
-        }
+        return keychain.string(forKey: key)
     }
     
     func validatePath(_ path: String) -> Bool {
@@ -189,8 +186,10 @@ class SecurityManager {
         return config?["enforceHttps"] as? Bool ?? true
     }
     
+    /// Unconditionally true since v2. Kept so `getSecurityInfo()` still
+    /// reports the capability to callers.
     func isSecureStorageEnabled() -> Bool {
-        return config?["secureStorage"] as? Bool ?? true
+        return true
     }
     
     func isInputValidationEnabled() -> Bool {

package/package.json

@@ -1,18 +1,16 @@
 {
   "name": "native-update",
-  "version": "1.4.8",
+  "version": "2.0.0",
   "engines": {
-    "node": ">=24.13.0"
+    "node": ">=18.0.0"
   },
-  "description": "Foundation package for building a comprehensive update system for Capacitor apps. Provides architecture and interfaces but requires backend implementation.",
+  "description": "Capacitor update plugin with live updates, app update checks, app reviews, and support for HTTP or Firestore-backed release delivery.",
   "type": "module",
   "main": "dist/plugin.cjs.js",
   "module": "dist/esm/index.js",
   "types": "dist/esm/index.d.ts",
   "unpkg": "dist/plugin.js",
-  "bin": {
-    "native-update": "./cli/index.js"
-  },
+  "bin": "./cli/index.js",
   "files": [
     "android/src/main/",
     "android/build.gradle",
@@ -36,7 +34,7 @@
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://nativeupdate.aoneahsan.com"
+    "url": "git+https://github.com/aoneahsan/native-update.git"
   },
   "bugs": {
     "url": "https://nativeupdate.aoneahsan.com/contact"
@@ -59,18 +57,19 @@
     "android",
     "hybrid"
   ],
-  "packageManager": "yarn@1.22.22",
+  "packageManager": "yarn@4.10.3",
   "scripts": {
-    "build": "yarn run clean && yarn run tsc && rollup -c rollup.config.js",
-    "build:prod": "yarn run clean && yarn run tsc && NODE_ENV=production rollup -c rollup.config.js",
+    "build": "rimraf ./dist && tsc && rollup -c rollup.config.js",
+    "build:prod": "rimraf ./dist && tsc && NODE_ENV=production rollup -c rollup.config.js",
     "clean": "rimraf ./dist",
     "tsc": "tsc",
     "watch": "tsc --watch",
     "lint": "eslint . --ext ts",
     "prettier": "prettier --write .",
-    "prepublishOnly": "yarn run build:prod",
+    "prepublishOnly": "yarn build:prod",
     "swiftlint": "cd ios && swiftlint lint --fix --format --path Plugin --verbose",
     "test": "vitest",
+    "test:run": "vitest --run",
     "test:ui": "vitest --ui",
     "test:coverage": "vitest --coverage"
   },
@@ -78,32 +77,32 @@
     "archiver": "^7.0.1",
     "chalk": "^5.6.2",
     "commander": "^14.0.3",
-    "express": "^5.2.1",
-    "ora": "^9.1.0",
+    "ora": "^9.3.0",
     "prompts": "^2.4.2"
   },
   "devDependencies": {
-    "@capacitor/android": "^8.0.2",
-    "@capacitor/app": "^8.0.0",
-    "@capacitor/core": "^8.0.2",
-    "@capacitor/device": "^8.0.0",
-    "@capacitor/filesystem": "^8.1.0",
-    "@capacitor/ios": "^8.0.2",
-    "@capacitor/preferences": "^8.0.0",
+    "@capacitor/android": "^8.3.0",
+    "@capacitor/app": "^8.1.0",
+    "@capacitor/core": "^8.3.0",
+    "@capacitor/device": "^8.0.2",
+    "@capacitor/filesystem": "^8.1.2",
+    "@capacitor/ios": "^8.3.0",
+    "@capacitor/preferences": "^8.0.1",
     "@rollup/plugin-json": "^6.1.0",
     "@rollup/plugin-node-resolve": "^16.0.3",
-    "@rollup/plugin-terser": "^0.4.4",
-    "@types/node": "^25.2.0",
-    "@typescript-eslint/eslint-plugin": "^8.54.0",
-    "@typescript-eslint/parser": "^8.54.0",
-    "@vitest/ui": "^4.0.18",
-    "eslint": "^9.39.2",
-    "happy-dom": "^20.4.0",
-    "prettier": "^3.8.1",
-    "rimraf": "^6.1.2",
-    "rollup": "^4.57.1",
-    "typescript": "^5.9.3",
-    "vitest": "^4.0.18"
+    "@rollup/plugin-terser": "^1.0.0",
+    "@types/node": "^25.6.0",
+    "@typescript-eslint/eslint-plugin": "^8.58.2",
+    "@typescript-eslint/parser": "^8.58.2",
+    "@vitest/ui": "^4.1.4",
+    "eslint": "^10.2.0",
+    "express": "^5.2.1",
+    "happy-dom": "^20.9.0",
+    "prettier": "^3.8.3",
+    "rimraf": "^6.1.3",
+    "rollup": "^4.60.1",
+    "typescript": "^6.0.2",
+    "vitest": "^4.1.4"
   },
   "peerDependencies": {
     "@capacitor/core": "^8.0.1"