On 14 March 2011 12:22, DanH <[email protected]> wrote: > Why "stupid"?
I wondered if "stupid" is not too strong, but after a thought - no, it is not "silly", nor "unwise". It's "stupid". If you embeed pkey in the app it's like you publish it widely. What the point of your encryption then? And by doing so, you shows you most likely got no clue of what you are doing nor any basic knowledge of crypto you are going to use. Publishing pkey kills whole encryption as anyone can decode your data after pkey is obtained and, what even worse, prepare new encrypted data and you won't be able to tell it's legitimate or not. Therefore in the above scenario pkey based encription is pointless. Any symetric cipher would do that much easier and the data will be equally "safe". > A private key scheme isn't secure unless you use a public key exchange to > pass the private key. That's correct, but if you want it automated the you have to embeed password too. Also, since pkey is private, adding it to raw assets is also of no benefit. Assuming embeeding pkey makes any sense (which it does not), then you just shoot yourself in head twice - you released pkey for all the data encrypted by app and you released pkey for app itself. Anyone with some spare time can now create fake app and sign with your key and if good social skills are used some people would install it as upgrade. So they are now compromised and you failed again :) -- Regards, Marcin Orlowski Tray Agenda - http://bit.ly/trayagenda -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
