On 7/27/2010 2:31 PM, Shane Isbell wrote:
The implementation that Google offers also embeds code, which is
inherently insecure but the docs also says: "For example, a
copy-protected application cannot be downloaded from Market to a
device that provides root access" This would limit the ability of
people to pull off the application off of a rooted device. Is it
possible for third-parties to detect if it is a rooted device?
I'm not sure that this is inherently insecure. Yes, it does use
libraries and a public key that will be embedded in the application, but
public keys are designed to be shared. All the client side is doing is
verifying information encrypted with the private key which isn't
accessible, and providing that information to the application for it to
manage as the developer decides. I may not have my security "A" game
going today, but that sounds reasonably secure to me. The private key
isn't even made available to the developer as I understand it, so the
developer doesn't really have the option of shooting themselves in the
foot with it.
As for detecting rooted devices... I have no idea. :-)
Raymond
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
