Loading...

android-security-discuss@googlegroups.com

[Prev] Thread [Next]  |  [Prev] Date [Next]

[android-security-discuss] Re: Application Signature Verification Oleg Gryb Thu Feb 02 22:02:40 2012

I think there is a reason why commercial CA wouldn't do that and this
reason is even more valid if you think about the number of small
companies that write apps for Android and don't use HSM's or other
serious controls to protect their private keys. A probability of
private key compromise is very high in those environments. I'm not
sure how this problem is addressed in the Android world. Do they honor
any CRL's? Any links are appreciated and thank you for answering: I
understand now that what I wanted to do is probably not possible and I
still need to digest that rather unusual policies related to self-
signed certs.

On Jan 17, 11:43 am, Jeff <[EMAIL PROTECTED]> wrote:
> So...the certificate *kinda* needs to be self-signed, at least if
> you're going to include your app in the Market. From the requirements
> doc (http://developer.android.com/guide/publishing/app-
> signing.html#releasemode), the signing certificate must...
>
> "Has a validity period that exceeds the expected lifespan of the
> application or application suite. A validity period of more than 25
> years is recommended. If you plan to publish your application(s) on
> Android Market, note that a validity period ending after 22 October
> 2033 is a requirement. You can not upload an application if it is
> signed with a key whose validity expires before that date."
>
> I do not know of any commercial CA that would issue you a certificate
> with that long of a validity period, so you're kinda left with self-
> signed at this point.
>
> On Jan 17, 1:08 pm, Oleg Gryb <[EMAIL PROTECTED]> wrote:
>
>
>
>
>
>
>
> > If a cert must be self-signed as Brian has mentioned, then I don't
> > think that I can do much except storing all public keys for all
> > trusted parties. If the same party uses more than one key then I would
> > need to store all of them and this is what I was trying to avoid,
> > apparently with no luck so far.
>
> > To your point about necessity of CA, please check my answer to Brian.
> > While I do have a strong opinion about in Enterprise and traditional
> > web app world (i.e. self-signed certs should not be used in prod), I
> > don't have such a strong opinion in the mobile world yet, except that
> > it does create inconvenience that I've described above (need to store
> > all public keys for the same party).
>
> > On Jan 17, 3:36 am, Kevin Chadwick <[EMAIL PROTECTED]> wrote:
>
> > > On Mon, 16 Jan 2012 20:31:20 -0800
>
> > > Brian Carlstrom wrote:
> > > > On Sat, Jan 14, 2012 at 8:30 AM, Oleg Gryb <[EMAIL PROTECTED]> wrote:
>
> > > > > Is there any way to verify an Android's application signature's
> > > > > signer? By this I mean that I need to check if an application was
> > > > > signed by an organization that I trust to and that all public
> > > > > certificates in the chain representing this organization are valid.
>
> > > > No, applications are signed by self signed certificates, not utilizing
> > > > certificate chains with public CAs as roots.
>
> > > > -bri
>
> > > And if you think about it, checking the authors signature is more
> > > secure because unless the third party verifies the code which is often
> > > closed source then all you would be achieving is increasing the attack
> > > surface by including the CA as well as the authors systems (source). No
> > > matter what you do you *MUST* verify and trust the author.
>
> > > Apples method of preventing the obvious is questionable at best and may
> > > lead to a false sense of security and likely has more to do with Apples
> > > want for Control which is probably why they have less market share than
> > > they should with a better OS than Windows as the hardware was
> > > Controlled, like Sony Phones until recently.
>
> > > --
> > > Kc

-- 
You received this message because you are subscribed to the Google Groups 
"Android Security Discussions" group.
To post to this group, send email to [EMAIL PROTECTED]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/android-security-discuss?hl=en.