Loading...

android-security-discuss@googlegroups.com

[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [android-security-discuss] Re: Application Signature Verification Kevin Chadwick Thu Feb 02 22:03:25 2012

On Thu, 19 Jan 2012 15:32:49 -0800
Subbu Srinivasan wrote:

>> No-This cannot be manual.   We need a reputation mechanism built into
>> android mkt place, the android installer would check against this and
>> suggest any course of action.


>"social web of trust". brilliant idea, actually.

That's the best for the General Public and gpg is perfect for that when
streamlined for the purpose (arch linux have just started signing
their packages with it) but with things to bear in mind.

An app may seem fine, the malware may wait untill a specific date or 6
months after install or likely be undetectable to the average or even
advanced user. Credit card data theft is often used 6 months later to
make it harder to find the source of the problem and maybe collect extra
credit cards.

The ultimate trust award would be Source code verified but if you
didn't build it, then it could still be dodgy.

I guess source code verified and built by Google would be top notch
trust rating as long as you trust Google of course, many don't, it
seems. Google is odd, it has some brilliant virtues and ethos but is
also an advertiser with broad brush statements from the top not helping.


Googles self-signed cert in the market app could be used to verify that
the verified by Google binary blob did come from google.

This would promote open source but unfortunately may affect android as
ignorance is bliss and most apps are not open source.

Maybe google could attribute source to a user and an app that is too
similar in code terms be rejected from the ring of trust? If do-able
maybe that would be best for users and developers??

One ring to rule them all and in the darkness bind them!

-- 
Kevin Chadwick

-- 
You received this message because you are subscribed to the Google Groups 
"Android Security Discussions" group.
To post to this group, send email to [EMAIL PROTECTED]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/android-security-discuss?hl=en.