Loading...

android-security-discuss@googlegroups.com

[Prev] Thread [Next]  |  [Prev] Date [Next]

[android-security-discuss] Re: Application Signature Verification Oleg Gryb Thu Feb 02 22:03:17 2012

You're absolutely right, there is no any reason to discuss that. It
just some opinions were rather unusual in my view and I wanted to
understand why. I should admit that still don't have an answer for
that "why" question.

Anyway, what I really want to know is the answer for a) on David's
list:

1. Can I publish an app on Android market if it's signed with a non
self-signed cert?

Brian, if you're still around, please take a look. I think you said
no, but then David mentioned that it's probably not correct. I know
that traditional Java jarsigner is used to sign apk files, so I should
not have problems with that, but what about publishing on Android
market?

There is a sign that it might work: PackageManager returns an array of
certificates, not just a single one, in the call that I've mentioned
before. It makes me think that it might understand chains.

pm.getPackageInfo(info.packageName,PackageManager.GET_SIGNATURES).signatures
<--- this is an array of certificates.

Thanks.


On Jan 19, 9:16 am, Subbu Srinivasan <[EMAIL PROTECTED]> wrote:
> Not sure why we are debating self signed vs signed by CA. PKI is modelled
> after real world procecees (Try printing your own ID card against a govt
> issued one).
> There is a reason why well used apps (like browser) warns users about
> certificates that it cannot trust. Sure it does not eliminate problems like
> malware etc, but makes the
> problem more manageable. Perhaps a app validating mechanism coupled by a
> community driven reputation score would help,.
>
> PKI has both strengths and weaknesses, the weakness being that end users
> sometime do not understand how the mechanism works and end up blindly
> accepting SSL connections.
>
> On Thu, Jan 19, 2012 at 4:40 AM, Kevin Chadwick <[EMAIL PROTECTED]>wrote:
>
>
>
>
>
>
>
> > On Wed, 18 Jan 2012 17:05:30 -0800 (PST)
> > Oleg Gryb wrote:
>
> > > There are 180M websites in the world. Do you suggest to put 180M self-
> > > signed certificate to a browser? Good luck with that and with
> > > implementing CRL logic around it.
> > > There are 500,000 android apps, the number of publishers is probably
> > > smaller, but still I would not want to deal with each and every self-
> > > signed certificate trying to understand if:
>
> > > 1. I want to trust it
> > > 2. If it's associated with a malware
> > > 3. If its private key has been compromised
>
> > > Thanks, but no, I don't want to be in this business.
>
> > I was merely explaining that your statements about self-signed were
> > wrong and you seem to have misread what I said though I had been awake
> > for > 36 hours when I wrote it, which was apps are different but now
> > it's been brought up how many websites do you actually care about an
> > assured secure connection for. On Linux app source is signed by authors
> > via gpg which is more secure but less likely than using a signed repo.
>
> > There is a major argument that EV reduces security because people see a
> > green light (aside from spoofing especially with modern browsers since
> > that paper), rather than checking manually and considering if they
> > TRUST, perhaps googling it.
>
> > Similar is true for Markets, more so Apples than Androids because
> > they advertise that they audit it, though they can't of course.
>
> > I'd like to see a phone still working after 500,000 apps are
> > installed, they won't fit and your phone will probably have a
> > saturated connection sending spam. There is no way around the fact that
> > a user has to research an app with the only guarantee being checking the
> > source code. There is a business there, but is it viable?? What are you
> > trying to do?
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Android Security Discussions" group.
> > To post to this group, send email to
> > [EMAIL PROTECTED]
> > To unsubscribe from this group, send email to
> > [EMAIL PROTECTED]
> > For more options, visit this group at
> >http://groups.google.com/group/android-security-discuss?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
"Android Security Discussions" group.
To post to this group, send email to [EMAIL PROTECTED]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/android-security-discuss?hl=en.