Jackkk wrote: > I was wondering about some real world issues about commercial > applications:
I don't know, but I'm going to have to do something similar, evil though it may be. In general, though, what you want is impossible: the phone has to be able to decrypt the data in order to use it, which means that the decryption key needs to be known to the phone, which means the user can get at it. All we can do is make it hard or inconvenient to get at the key. What I'm doing is not encrypting the data but signing it, which is a much easier problem --- I don't care about the user being able to copy the data, I only care about the user *using* that data on another device. For that, a signature based on our private key and the phone's IMEI will do. Our app checks the signature every time it starts up which verifies that the data is authorised for use by that phone, and verifies that nobody's tampered with it. If you want a full-scale encryption system... um, hard. Are you willing to download the key every time the applicaiton is used, over the 'net? That way you don't have to store it on the phone. -- ┌─── dg@cowlark.com ───── http://www.cowlark.com ───── │ "I have always wished for my computer to be as easy to use as my │ telephone; my wish has come true because I can no longer figure out │ how to use my telephone." --- Bjarne Stroustrup
signature.asc
Description: OpenPGP digital signature
