Gavin Bong wrote: > I'm interested in the signature field in AndroidManifest. Is that > signature meant to represent a digital signature of app ?
As the documentation states: "Temporary package attribute assigning a signature to the package. This will be removed once real support for package signing is implemented. " So, I wouldn't count on that specific attribute being around. > Assuming that's the case; I forsee that I will need to:- > > a) embed the public key of the author of the app in my server.apk > b) verify the digsig during the first call. Subsequent calls will not > need re-verification. > > Is this doable ? I am not Bruce Schneier, nor do I play him on TV. I don't claim to be a security expert. That being said... Unless you are passing around some sort of request token, I don't know how you will be able to identify "subsequent calls" as being from the same caller as a previous one. And, if you *are* passing some sort of caller token with each call, impersonation is merely a matter of intercepting and reusing said token. Even if you check the digital signature on each call, assuming the signature is of some packaging of the call's parameters, you are still subject to a replay attack. Now, replay attacks probably require hacking into Android's internals, which will take some effort on the part of the attacker. A determined person will break it anyway, if they can get their hands on your client APK. I suspect Dalvik bytecodes can be decompiled, even if there isn't necessarily a decompiler available at present. Then, it's just a matter of figuring out where your private key is stored. If the client application can sign things, somebody with the APK can, in theory, learn everything that is needed to sign things as well. So the question you need to ask yourself is: will the amount of security gained from going through this be worth the effort? Note that this isn't an Android issue per se. You would encounter similar problems confirming that a client executable is "authorized" in any sort of client-server or IPC/RPC mechanism. It's not to say that it's impossible, but it's not likely to be very easy if you want assurances of absolute security. If "probably secure" is good enough, your digital signature mechanism may well work. Just my two cents' worth on the topic... -- Mark Murphy (a Commons Guy) http://commonsware.com _The Busy Coder's Guide to Android Development_ -- Available Now! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] Announcing the new M5 SDK! http://android-developers.blogspot.com/2008/02/android-sdk-m5-rc14-now-available.html For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -~----------~----~----~----~------~----~------~--~---
