How CodePush protects your code and your users.
CodePush uses three layers of authentication:
| Layer | Method | Purpose |
|---|---|---|
| Developer | JWT token or API Key | Publishing releases and patches |
| Mobile App | App Token | Checking and downloading updates |
| Browser Login | Device Authorization Flow | CLI authentication via browser |
- JWT Token: Obtained via
codepush login(browser-based). Expires in 7 days. - API Key: Permanent key for CI/CD pipelines. Sent via
X-Api-Keyheader. Obtained from account settings.
Each app gets a unique App Token when registered. This token:
- Is embedded in your mobile app
- Sent via
X-CodePush-Tokenheader on update checks - Can be revoked and regenerated
- Is not a secret (can be decompiled from the app) but prevents casual API abuse
The CLI uses the Device Authorization Flow:
- CLI requests a one-time code (e.g.,
KXPT-3NV7) - Opens browser to the verification page
- User logs in and approves the code
- CLI receives credentials automatically
No password is ever entered in the terminal.
App registration is first-come-first-served by package name. Once registered, only the account owner can publish updates. This is the same model used by Shorebird.
Every DLL uploaded to CodePush is:
- Hashed with SHA-256 at upload time
- Hash stored in the database
- Verified by the mobile app after download
- Rejected if hash doesn't match
Before a patch is accepted, the CLI compares assembly references against the release snapshot. This prevents:
- Loading assemblies not present in the app binary
- Using newer versions of assemblies than what shipped
- All traffic uses HTTPS (TLS 1.2+)
- Cloudflare provides DDoS protection and edge caching
- Azure Blob Storage is private (no public access)
- Downloads go through CDN with token validation
The Mono interpreter is part of the app binary (shipped inside the .NET runtime). Interpreting IL bytecode is analogous to JavaScript in WebKit. This is the same approach used by React Native CodePush and Shorebird.
CodePush configures MtouchInterpreter to enable interpretation only for CodePush modules, keeping the rest of your app at full AOT performance.
.NET assemblies run on the Mono runtime virtual machine, which qualifies under Google's policy for VM-based code execution.
- Use CodePush for hotfixes and minor updates only
- Don't use it to circumvent app store review for major feature additions
- Don't change the primary purpose of your app via code push