playbooks

home / skills / dbobkov245-source / pwa-torserve / app-updater

app-updater skill

/skills/app-updater

This skill enables self-hosted APK updates for Android TV by checking a version manifest, downloading, and installing updates from a private server.

npx playbooks add skill dbobkov245-source/pwa-torserve --skill app-updater

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
2.7 KB
---
name: app-updater
description: Specialist in self-hosted APK updates without Google Play.
---

# Self-Hosted App Updater

This skill handles updating the Android TV application (APK) directly from a private server or GitHub Releases, bypassing Google Play.

## 🔄 Update Workflow

1.  **Check Version:** Fetch `version.json` from your server on app launch.
2.  **Prompt User:** If `remoteVersion > localVersion`, show a modal: "Update Available".
3.  **Download APK:** Use `CapacitorHttp` to download the `.apk` file to a temporary location.
4.  **Install:** Trigger the Android Intent to install the package.

## 📱 Implementation Details

### 1. Version Manifest (`version.json`)
Host this file on your server (e.g., GitHub Pages or your API):
```json
{
  "version": "1.2.3",
  "minVersion": "1.0.0", // Force update if critical
  "url": "https://example.com/app-release.apk",
  "notes": "Fixed critical bug with player."
}
```

### 2. Download & Install (Java/Native Plugin)

Since standard web APIs cannot trigger APK installation, you need a Native Plugin method (extend `TVPlayer.java` or create `AppUpdater.java`).

**Required Permissions (AndroidManifest.xml):**
```xml
<uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
```

**Java Implementation (Snippet):**
```java
// Download logic using DownloadManager or OkHttp...
// Then install:
Intent intent = new Intent(Intent.ACTION_VIEW);
intent.setDataAndType(apkUri, "application/vnd.android.package-archive");
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
intent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); // Critical for FileProvider
context.startActivity(intent);
```

### 3. FileProvider (Critical for Android 7+)

You cannot just expose `file://` URIs. You MUST use a `FileProvider` in `AndroidManifest.xml`:

```xml
<provider
    android:name="androidx.core.content.FileProvider"
    android:authorities="${applicationId}.fileprovider"
    android:exported="false"
    android:grantUriPermissions="true">
    <meta-data
        android:name="android.support.FILE_PROVIDER_PATHS"
        android:resource="@xml/file_paths" />
</provider>
```

**`res/xml/file_paths.xml`:**
```xml
<paths>
    <external-path name="external_files" path="."/>
</paths>
```

## ⚠️ Safety First
- **Signature Verification:** Android automatically verifies that the new APK signature matches the old one. If not, update fails. Ensure you sign with the SAME key.
- **HTTPS Only:** Never download APKs over HTTP.
- **User Consent:** Always ask the user before starting a download (bandwidth) and before installing.

Overview

This skill implements a self-hosted APK update flow for Android TV apps, enabling updates from a private server or GitHub Releases without Google Play. It focuses on safe version checks, secure APK download, and invoking the Android install intent via a native plugin. The goal is reliable, user-consented updates for sideloaded or private-distribution apps.

How this skill works

On launch the app fetches a version manifest (version.json) from your server and compares remoteVersion to localVersion. If an update is available the app prompts the user, downloads the APK via a native HTTP client, and uses a native plugin to trigger the Android install intent. A FileProvider is required to expose the APK URI safely, and Android enforces signature and permission checks during installation.

When to use it

  • You distribute an Android TV app outside Google Play (side-loaded or private APK).
  • You want OTA updates from GitHub Releases or a private CDN/server.
  • You need forced updates for critical fixes using minVersion.
  • You must avoid Google Play for regional or licensing reasons.
  • You require an integrated update prompt and install flow in the app.

Best practices

  • Host version.json over HTTPS and include version, minVersion, url, and notes.
  • Always prompt users before downloading and before invoking installation.
  • Use a native plugin (Java) to download and start the install intent; web APIs cannot install APKs.
  • Configure FileProvider with proper paths and grantUriPermissions to avoid file:// issues on Android 7+.
  • Sign every build with the same key; Android will reject different signatures.

Example use cases

  • Private media center app for Android TV updates delivered from a home NAS or GitHub.
  • Corporate or kiosk deployments where Play Store is not available or allowed.
  • Beta distribution channel using GitHub Releases and a manifest for testers.
  • Emergency security fix that requires forcing a minimum supported version.

FAQ

Do I need special permissions to install the APK?

Yes. REQUEST_INSTALL_PACKAGES and storage/internet permissions are required and you must use FileProvider for file access; user consent is also required.

Can I download APK over HTTP?

No. Always use HTTPS to protect integrity and prevent MITM tampering.

What happens if the APK signature differs?

Android will block the install. Always sign updates with the same signing key as the installed app.