Loading...

android-security-discuss@googlegroups.com

[Prev] Thread [Next]  |  [Prev] Date [Next]

[android-security-discuss] Re: Application Signature Verification Oleg Gryb Thu Feb 02 22:02:48 2012

> You don't trust a signer, you trust an author/source with best practice
> being checking and building apps from source and self-signing an app or
> checksum with your own offline key. Trust no-one especially not big
> companies that do fsck all and have employees that use their date of
> birth as their password for everything and can be a stepping stone
> (RSA, Google, CAs, dumb sh*t (easily avoided), but there you go).
>
> Self signed is not a questionable practice, you just have to verify the
> apps particular key is safe, this is far more secure. What are you
> trying to do, something GENERIC rather than specific?
>

There are 180M websites in the world. Do you suggest to put 180M self-
signed certificate to a browser? Good luck with that and with
implementing CRL logic around it.
There are 500,000 android apps, the number of publishers is probably
smaller, but still I would not want to deal with each and every self-
signed certificate trying to understand if:

1. I want to trust it
2. If it's associated with a malware
3. If its private key has been compromised

Thanks, but no, I don't want to be in this business.

-- 
You received this message because you are subscribed to the Google Groups 
"Android Security Discussions" group.
To post to this group, send email to [EMAIL PROTECTED]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/android-security-discuss?hl=en.