[Prev] Thread [Next]  |  [Prev] Date [Next]

[android-security-discuss] Re: Application Signature Verification Oleg Gryb Thu Feb 02 22:03:13 2012

So each time when somebody wants to connect to a new website you
suggest to check it manually, probably by googling or by cheeking an
author's background. Interesting approach, but I think, it'll hardly
work for 99% of people including myself.

The same is true about mobile apps and yes, I do care about all 180M
web sites and 500,000 android apps simply because I have no idea which
website I'll need to visit tomorrow or which app to download to my
device. At the time when I need them, most likely I won't have time to
verify anything, so I'll need to rely on somebody or something, be it
Android market or a CA.

On Jan 19, 4:40 am, Kevin Chadwick <[EMAIL PROTECTED]> wrote:
> On Wed, 18 Jan 2012 17:05:30 -0800 (PST)
> Oleg Gryb wrote:
> > There are 180M websites in the world. Do you suggest to put 180M self-
> > signed certificate to a browser? Good luck with that and with
> > implementing CRL logic around it.
> > There are 500,000 android apps, the number of publishers is probably
> > smaller, but still I would not want to deal with each and every self-
> > signed certificate trying to understand if:
> > 1. I want to trust it
> > 2. If it's associated with a malware
> > 3. If its private key has been compromised
> > Thanks, but no, I don't want to be in this business.
> I was merely explaining that your statements about self-signed were
> wrong and you seem to have misread what I said though I had been awake
> for > 36 hours when I wrote it, which was apps are different but now
> it's been brought up how many websites do you actually care about an
> assured secure connection for. On Linux app source is signed by authors
> via gpg which is more secure but less likely than using a signed repo.
> There is a major argument that EV reduces security because people see a
> green light (aside from spoofing especially with modern browsers since
> that paper), rather than checking manually and considering if they
> TRUST, perhaps googling it.
> Similar is true for Markets, more so Apples than Androids because
> they advertise that they audit it, though they can't of course.
> I'd like to see a phone still working after 500,000 apps are
> installed, they won't fit and your phone will probably have a
> saturated connection sending spam. There is no way around the fact that
> a user has to research an app with the only guarantee being checking the
> source code. There is a business there, but is it viable?? What are you
> trying to do?

You received this message because you are subscribed to the Google Groups 
"Android Security Discussions" group.
To post to this group, send email to [EMAIL PROTECTED]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at