QuickPatch is an over-the-air (OTA) code-push platform for Flutter apps. It lets you push Dart code changes - bug fixes, UI tweaks, logic updates - directly to users' Android and iOS devices in seconds, without shipping a new build through the App Store or Google Play review process.

How does Flutter code push work with QuickPatch?

You ship your app to the stores once with the QuickPatch engine bundled in. After that, you change your Dart code, run `quickpatch patch`, and upload a small diff targeting that exact release. Apps fetch the patch on launch and apply it on the next launch - no reinstall and no store review.

Does QuickPatch work on both Android and iOS?

Yes. QuickPatch supports both Android and iOS with a single workflow. The same patch command and dashboard manage over-the-air updates for both platforms.

Is pushing code updates over the air allowed by the App Store?

QuickPatch is designed for pushing Dart code fixes and improvements to your existing app's functionality, which is a common and accepted practice for code-push tools. It does not change your app's core purpose. You should always follow Apple and Google's current developer guidelines for over-the-air updates.

How much does QuickPatch cost?

QuickPatch has a free plan with 4,000 patch installs per month. Paid plans start at $19/month (Pro, 60,000 installs) and $200/month (Business, 1,000,000 installs), with usage-based overage and custom Enterprise pricing. Apps, releases, and patches are unlimited on every plan - you're only metered on patch installs.

Is QuickPatch a Shorebird alternative?

Yes. QuickPatch is a fully-managed Flutter code-push service that offers the same core capability - over-the-air Dart updates for Android and iOS - with simpler usage-based pricing, signed patches with key rotation, and instant rollback.

Can I roll back a bad patch?

Yes. Every patch can be paused or instantly rolled back from the dashboard. You can also stage rollouts - release to 10% of users first, watch install metrics, then ramp to 100% or stop.

Are QuickPatch updates safe?

Patches are cryptographically signed and verified against the exact release they target before they are applied, and signing keys can be rotated. A patch that doesn't verify is never applied, and you can pause or roll back at any time.

All articles

Security·Jun 4, 2026·2 min read

Signed Patches and Key Rotation: Securing Flutter OTA Updates

Why signing matters for over-the-air Flutter updates. How signed patches and signing-key rotation keep code push secure without breaking already-installed apps.

Pushing code to devices over the air is powerful, which means it has to be secure. If anyone could deliver a patch to your users, OTA would be a liability. Signed patches and key rotation are what make code push trustworthy.

What signing guarantees

Each patch is cryptographically signed before it leaves your control. On the device, the engine verifies that signature and confirms the patch matches the exact release it targets. A patch that fails either check is never applied. In practice this means only code you signed can run on your users' devices.

Why key rotation matters

Signing keys sometimes need to change - a routine security practice, or a response to a suspected exposure. The hard part is doing it without bricking apps that already trust the old key. QuickPatch supports rotation so that already-installed apps continue to accept valid patches through the transition.

How rotation stays safe

Apps can trust more than one key during a transition window.
A patch signed with the new key applies cleanly on devices that trust it.
The old key can be retired once the new one is established.

Fail-closed by default

The correct default for a security check is to reject when verification fails, never to wave a patch through. QuickPatch enforces signature verification so an unverified or mismatched patch is discarded rather than applied.

If a patch does not verify against the release it targets and a trusted key, it does not run. Full stop.

Signing is one layer of the broader safety story that also includes staged rollouts and instant rollback - see Staged Rollouts and Instant Rollback.

Ship your next Flutter fix over the air

QuickPatch is a fully-managed over-the-air code-push service for Flutter. Push Dart bug fixes to Android and iOS in seconds, with staged rollouts, instant rollback, and signed patches. Start on the free plan, read the documentation, or see the apps already shipping with QuickPatch.

SecuritySigningFlutter OTA