-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So its just for ensuring upgradeability? does the certificate information has any impact on google play?
On 2013-05-10 16:23, Brian Carlstrom wrote: > The certs are self signed, not issued by a public authority. They > are used to validate on upgrade that the new apk came from the same > source as the old apk. given that, the subject/issuer information > isn't relevant, just the public key in the certificate. > > -bri > > On Fri, May 10, 2013 at 2:11 AM, Sebastian Bachmann > <m...@free-minds.net> wrote: >> But is there any enforcement of the signature policy in >> practise? i dont know if signatures are in any time validated up >> its chain? You can not install apps that are not signed, but is >> there a check for known bad signatures? >> >> and if a developer is blocked by his sigtnature, he can easily >> generate a new one. i see many apps that have this kind of >> signature: >> >> Issuer: C=US, L=, S=, O=Android, OU=, CN=Android Debug, E= >> Subject: C=US, L=, S=, O=Android, OU=, CN=Android Debug, E= >> >> so there are many people that dont even care about the >> signature... >> >> >> On Thu, 9 May 2013 19:06:46 -0400, Jeffrey Walton >> <noloa...@gmail.com> wrote: >>> On Thu, May 9, 2013 at 3:37 PM, Keith Makan >>> <k3170ma...@gmail.com> >> wrote: >>>> At the moment I'm writing a bunch of white papers on android >>>> security. As a result I've been trying to hunt down some >>>> academic style papers on Android's Application Signing >>>> mechanism, I have some high level understanding of how things >>>> work---you know the whole .jar signing, public key, >>>> cryptographic hash story---but I need a good set of academic >>>> papers on the subject to reference. >>> Well, one of the earliest papers that I know on Semantic >>> Authentication is by Wagner and Scheier. "Analysis of the SSL >>> 3.0 protocol," www.schneier.com/paper-ssl.pdf, 1996. >>> >>> Semantic Authentication (a.k.a the Horton Principal from >>> 'Horton Hears a Who') states to authenticate what was meant, >>> and not what was said. In the case of SSL encryption, that mean >>> one should authenticate both the plaintext and padding (what >>> was meant); and not just the plain text (what was said). >>> Padding oracles FTW? >>> >>> In the case of Android code signing, it would be APK + >>> Alignment (what was meant), and not select pieces of the >>> components of an APK (what was said). As a practical example of >>> the issue, consider a signature based scanner. Because the bad >>> guy can arbitrarily change alignment, he/she can produce >>> different thumbprints for the same APK. So an APK with align=4 >>> may trigger the tripwire, but align=8 would pass unmolested. >>> >>> Nikolay Elenkov just wrote an *excellent* blog entry on Android >>> Code Signing. See >>> >> http://nelenkov.blogspot.com/2013/05/code-signing-in-androids-security-model.html. >>> >>> >> For the academic treatments, Google is your friend: >>> http://scholar.google.com/scholar?q=android+code+signing. >>> >>> Jeff >> >> -- You received this message because you are subscribed to the >> Google Groups "Android Security Discussions" group. To >> unsubscribe from this group and stop receiving emails from it, >> send an email to >> android-security-discuss+unsubscr...@googlegroups.com. To post to >> this group, send email to >> android-security-discuss@googlegroups.com. Visit this group at >> http://groups.google.com/group/android-security-discuss?hl=en. >> For more options, visit >> https://groups.google.com/groups/opt_out. >> >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJRjQV1AAoJEAhgHfpCPcybvrAIAISuZJkD7v2eDyNP5XOexzcw 1OO5HKSHy3QlvcaxLEz3ghe8sWxofB/QF5ugw5w537gcQH7AJ4YSFFCxLhPGbEmo 0LEVHKvg+ti2gcWv6Hk20tB/nkIXB/itDFSdaAyLfF+RAIPd7wUbWKROqZNmA3ys UWNlb1MTURelPQYqmrlIWrAO4x80ISbFkUKJmnvk92NrsfeBAQNx/aPrpvB+n6PC vA1OzX6IfZgb99JjmtYGWLqJlXNk0PfvWjhl3qntmK9+KujByQmFEiaMpvx5+Utl vLiOUJd5BQOtihqyMqdwSnC2x2WZjRDI6mX1z4xlOzRNv4cuBoSFmPQCbYRAv5Q= =2hEO -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
