On Tue, Jul 27, 2010 at 11:42 AM, Raymond C. Rodgers < [email protected]> wrote:
> On 7/27/2010 2:31 PM, Shane Isbell wrote: > >> The implementation that Google offers also embeds code, which is >> inherently insecure but the docs also says: "For example, a copy-protected >> application cannot be downloaded from Market to a device that provides root >> access" This would limit the ability of people to pull off the application >> off of a rooted device. Is it possible for third-parties to detect if it is >> a rooted device? >> > I'm not sure that this is inherently insecure. Yes, it does use libraries > and a public key that will be embedded in the application, but public keys > are designed to be shared. All the client side is doing is verifying > information encrypted with the private key which isn't accessible, and > providing that information to the application for it to manage as the > developer decides. I may not have my security "A" game going today, but that > sounds reasonably secure to me. The private key isn't even made available to > the developer as I understand it, so the developer doesn't really have the > option of shooting themselves in the foot with it. In many ways, it's more secure to have the code embedded in the application (which is why we designed the library this way). If the license check was performed solely by the OS, an attacker could just use a modified firmware image to bypass the checks for all applications on the system. -- Trevor Johns Google Developer Programs, Android http://developer.android.com -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
