What I mean is that if the bad actor can manipulate the apk bytes while still maintaining the same checksum, then the whole scheme is insecure -- there's no point in having it signed. A CRC32 checksum is easily spoofed -- the apk bytes need to be checksummed with a cryptographic checksum of some sort.
On Oct 8, 1:01 am, Dianne Hackborn <[email protected]> wrote: > On Thu, Oct 7, 2010 at 6:22 PM, DanH <[email protected]> wrote: > > So what is protecting the application from forgery? > > What do you mean? This is the cert it is signed with. Do you have some way > to force the cert? > > -- > Dianne Hackborn > Android framework engineer > [email protected] > > Note: please don't send private questions to me, as I don't have time to > provide private support, and so won't reply to such e-mails. All such > questions should be posted on public forums, where I and others can see and > answer them. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
