Enforce App Update
| Plan | Platforms | MASVS |
|---|---|---|
| Team | Android, iOS | MASVS-CODE-2 |
Overview
Enforce App Update forces users to update to the latest version of your application before they can continue using it. When enabled, the SDK blocks app startup and displays a non-dismissible prompt that redirects users to the App Store (iOS) or Google Play Store (Android) to download the latest version.
This control ensures all active users run the most current and secure version of your application, enabling rapid security patch deployment, critical bug fix distribution, and API compatibility enforcement.
How It Works
The Enforce App Update control operates at SDK initialization:
- Version Check: On app launch, the SDK attempts to fetch the latest configuration from the MobileDefender backend
- Enforcement Decision: The backend determines whether the current app version is acceptable based on your deployment settings
- Blocking Prompt: If the version is outdated or the config fetch fails, the SDK displays a full-screen, non-dismissible dialog
- Store Redirect: The user must tap the "Update" button, which opens the App Store or Google Play Store
- App Termination: After redirecting to the store, the SDK terminates the application process to prevent continued use of the outdated version
Version Discovery
Version enforcement is server-controlled. The MobileDefender backend maintains minimum version requirements per environment (development, staging, production). When you enable this control:
- The backend's config endpoint checks the app's version against the configured minimum
- If the version is below the minimum (or fails validation), the SDK receives an enforcement signal
- The SDK blocks app startup until the user updates
You do not need to hardcode version numbers in your app—all enforcement logic is managed server-side and can be adjusted in real-time through the MobileDefender dashboard.
User Experience
When a user launches an outdated version:
- Launch Blocked: The app displays a full-screen prompt immediately after SDK initialization, before your UI loads
- Message Display: The dialog shows a customizable title and message (e.g., "Update Required", "Please install the latest version to continue")
- Single Button: A single "Update" button is presented—the dialog cannot be dismissed or bypassed
- Store Navigation: Tapping "Update" opens:
- iOS: App Store product page (via
itms-apps://URL or HTTPS App Store link) - Android: Google Play Store listing (via
market://orhttps://play.google.comURL)
- App Exit: After redirecting, the app terminates to prevent background usage
Customization
You can customize the enforcement prompt through the MobileDefender dashboard:
- Title: Header text (e.g., "Update Required")
- Message: Explanation text (e.g., "A new version is available. Please update to continue using the app.")
- Button Label: Action button text (e.g., "Update Now", "Go to Store")
- Redirect URL: App Store or Play Store deep link
Localization is supported—you can provide translations for different languages using the <en>, <es>, <fr>, etc. syntax in your text fields.
How to Enable the Control
Navigate to Device Settings from the AppTego portal, and expand the App Lifecycle section. Under this section you will find the Enforce App Updates control. Click Enable, choose the response action, and save the configuration for the next build or for it to be applied with a live push (if enabled).
API Configuration Example
{
"EnforceNew": {
"detection": true,
"action": "alert",
"title": "Enforce App Updates",
"message": "A newer app version is required before continuing. Please update the app.",
"buttons": ["OK"],
"actions": ["close"],
"redirects": [""]
}
}| Field | Purpose |
|---|---|
detection | Enables app update enforcement. |
action | Selects the response style, such as alert, close, log, or warn. |
title / message | User-facing text shown when a response is displayed. |
buttons / actions / redirects | Defines the available response buttons and their outcomes. |
Configuration
Backend Settings
Enforcement is managed via two flags in the device configuration:
- LiveConfig (
get_new): Enables fetching the latest configuration on app launch (prerequisite for enforcement) - EnforceNewVersion (
enforced_get_new): Forces app update if config fetch fails or version is outdated
Both must be enabled for enforcement to work. If LiveConfig is disabled, EnforceNewVersion is automatically disabled.
Example Configuration
{
"EnforceNew": {
"detection": true,
"action": "redirect",
"title": "<en>Update Required\n<default>Update Required",
"message": "<en>A new version is available. Please update to continue.\n<default>A new version is available. Please update to continue.",
"buttons": ["<en>Update Now\n<default>Update Now"],
"actions": ["redirect"],
"redirects": ["https://apps.apple.com/app/your-app-id"]
}
}iOS Redirect URL Examples:
https://apps.apple.com/app/id123456789itms-apps://itunes.apple.com/app/id123456789
Android Redirect URL Examples:
https://play.google.com/store/apps/details?id=com.yourcompany.appmarket://details?id=com.yourcompany.app
Caveats and Best Practices
Deployment Workflow
⚠️ Critical: Always publish your new app version to the App Store or Google Play Store before enabling enforcement. If you enable enforcement before the new version is available in the stores, users will be stuck in a loop—unable to access the app and unable to find an update.
Recommended workflow:
- Submit new app version to Apple App Review / Google Play Console
- Wait for review approval and store publication
- Verify the new version is live and downloadable
- Enable
EnforceNewVersionin the MobileDefender dashboard - Push the live configuration to affected environments
Edge Cases
- Store Approval Delays: If your app update is stuck in review, enforcement will block all users from accessing the app
- Network Failures: If the SDK cannot reach the MobileDefender backend (e.g., due to network issues), enforcement treats this as a version mismatch and blocks the app by default
- Graceful Degradation: For non-enforced mode (
enforceNewVersion: false), config fetch failures are ignored and the app continues with cached configuration
Environments
Use environment-specific enforcement:
- Development: Typically disabled (frequent version changes)
- Staging: Optional (for testing enforcement flow)
- Production: Enabled for critical updates only
Threats Mitigated
- Outdated Security Controls: Ensures all users run the latest SDK protections (e.g., new root detection techniques, certificate pinning updates)
- Critical Bug Exposure: Prevents users from encountering known crashes or vulnerabilities fixed in newer versions
- API Compatibility Issues: Enforces minimum versions when backend APIs change in breaking ways
- Compliance Violations: Ensures deprecated features (e.g., insecure protocols, removed permissions) are no longer accessible
Support Matrix
| Platform | Minimum Version | Status |
|---|---|---|
| iOS | 12.0+ | ✅ Supported |
| Android | API 21+ | ✅ Supported |
Telemetry
When enforcement blocks an app launch, the SDK logs the following events to the MobileDefender backend:
enforce_new_triggered: Enforcement prompt displayedenforce_new_redirect: User tapped the update button and was redirected to the store
These events include:
- App version number
- Device model and OS version
- Timestamp of enforcement
- Environment (development/staging/production)
See Also
- LiveConfig: Prerequisite control for fetching the latest configuration
- StoreDeviceInformation: Captures app version metadata for analytics
- Configuration Update: Backend endpoint for managing version requirements