I've been noodling on this idea for a while, but I'm wondering if there are security ramifications.
Basically PhoneGap is just HTML5 running within a navite app web browser. (My particular app uses JQuery Mobile to help with the GUI) I've been thinking about adding the ability to "pull" javascript and HTML updates to the app, so I don't have to go through the App Store every time. To give a specific example:
Let's say I submit MyApp v1.0 to the App Store and Apple approves it. It then turns out that one of my buttons in the app are broken.
Normally I'd have to fix the button, resubmit to Apple and wait a week for them to approve it.
But what if I had my app always ping the server on startup and check for executable javascript patches? My app could simply pull down a sniplet of code like:
$("#mybutton").click(function(event) {
event.stopPropagation();
// Here is the right thing to do...
}
As long as this "patch" code is executed at the appropriate time and in the appropriate way, I don't see why it wouldn't work. It would also work great to communicate system outages, etc.
My concern, however, is security. Grabbing some dynamic code from the outside world and executing it blindly sounds scary. Can I trust that if my patch grabber always hits a specific HTTPS URL on my server, that that response is safe to execute? Or could a 'hacker' somehow intercept that patch call and feed in their own malicious javascript?