Well, well, in fact we currently use some kind of MITM attack with our cachebox, the only problem is that it needs for the user to first download the cachebox's certificate before downloading the cached android package. And the cachebox download the application once a day From Google Play. So the only problem here is that the number of installations is not equal to the number of downloads but for us that's not a problem as we have more precise statistics for our customer than the information displayed on the Google Play's application page. That works, I just complain that the user needs to download a certificate first for android an not for ios. And I don't have particular fear about an attack of the cache server, no more no less of every machine on Internet.
2016-05-18 13:38 GMT+02:00 Raymond Rodgers <raym...@badlucksoft.com>: > I can't speak for Apple's situation, but not using SSL/HTTPS leaves > security and safety very vulnerable. What you're doing, though you seem to > be doing it for a positive reason, is essentially a man in the middle > attack: you're intercepting traffic, with the intent of caching the > packages for speed purposes, but what's to stop someone else from replacing > a particular package with a modified version that infects the downloading > device with malware or constant advertising? While it might be difficult or > impossible to fake the the signature of the "safe" version of the package, > the metadata telling you the correct signature could be faked as well, thus > giving rise to an otherwise legitimate looking package. Encryption was > developed to both keep private data private and to prevent man in the > middle attacks. This is usually considered a good thing. > > Even assuming it was perfectly safe and allowed for you to cache the > packages, there are other questions and issues to be considered: How would > you check to see if you needed to update the cached package? How often > would you check? How would you verify that the downloaded package isn't > corrupt or compromised or is even the latest version? What's stopping a > malicious attacker from compromising your server and altering or removing > your cached applications? Do you have enough storage space for all the > applications that your users want to download? > > I can't speak for what Apple is or isn't doing. I'm not an Apple developer > and I don't own an iOS device, but I can tell you that I certainly wouldn't > want my app or my data transmitted without encryption. Maybe the lack of > encryption there is a design flaw, an error or oversight in code or > configuration, a deliberate design choice for your region, or the result of > an attack that they haven't detected yet, but given the walled nature of > Apple's app ecosystem, I would be very surprised that they decided to just > transmit the package over plain HTTP. > On 05/18/2016 03:35 AM, Tourism SecondGuide wrote: > > I'm just surprised that Apple consider http application download enough > secured. They usually are very sensitive to security problems. > And anyway, https application downloading is a big problem in lot of cases. > > 2016-05-17 22:12 GMT+02:00 Raymond C. Rodgers <raym...@badlucksoft.com>: > >> What about the device and possibly user account information that might >> get transmitted as part of the download process? Encrypting the package >> while leaving meta data exposed will not help keep the application, >> device, or user account secure. >> >> On 5/17/2016 2:27 AM, Tourism SecondGuide wrote: >> > A better solution would be to secure the package >> > >> > Le samedi 14 mai 2016 18:03:40 UTC+2, bjv a écrit : >> > >> > So what you are saying is that Apple is better because they enable >> > a MITM attack against your apps when being downloaded, perhaps >> > letting criminals replace your app with their modified one? >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups "Android Developers" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to android-developers+unsubscr...@googlegroups.com >> > <mailto:android-developers+unsubscr...@googlegroups.com>. >> > To post to this group, send email to >> > android-developers@googlegroups.com >> > <mailto:android-developers@googlegroups.com>. >> > Visit this group at >> <https://groups.google.com/group/android-developers> >> https://groups.google.com/group/android-developers. >> > To view this discussion on the web visit >> > >> https://groups.google.com/d/msgid/android-developers/392d51b7-25ac-495f-9bc4-ee43b466356e%40googlegroups.com >> > < >> https://groups.google.com/d/msgid/android-developers/392d51b7-25ac-495f-9bc4-ee43b466356e%40googlegroups.com?utm_medium=email&utm_source=footer >> >. >> > For more options, visit <https://groups.google.com/d/optout> >> https://groups.google.com/d/optout. >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Android Developers" group. >> To unsubscribe from this topic, visit >> <https://groups.google.com/d/topic/android-developers/C5u2uQTdKGk/unsubscribe> >> https://groups.google.com/d/topic/android-developers/C5u2uQTdKGk/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> android-developers+unsubscr...@googlegroups.com. >> To post to this group, send email to >> <android-developers@googlegroups.com>android-developers@googlegroups.com. >> Visit this group at https://groups.google.com/group/android-developers. >> To view this discussion on the web visit >> <https://groups.google.com/d/msgid/android-developers/573B7B24.3040003%40badlucksoft.com> >> https://groups.google.com/d/msgid/android-developers/573B7B24.3040003%40badlucksoft.com >> . >> For more options, visit <https://groups.google.com/d/optout> >> https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "Android Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to android-developers+unsubscr...@googlegroups.com. > To post to this group, send email to android-developers@googlegroups.com. > Visit this group at https://groups.google.com/group/android-developers. > To view this discussion on the web visit > <https://groups.google.com/d/msgid/android-developers/CAHxu9Eo2tQdQDc-VFVZVN%3DSmM9faW9%2BPSSMRnfmH_UV-JKQL8g%40mail.gmail.com?utm_medium=email&utm_source=footer> > https://groups.google.com/d/msgid/android-developers/CAHxu9Eo2tQdQDc-VFVZVN%3DSmM9faW9%2BPSSMRnfmH_UV-JKQL8g%40mail.gmail.com > . > For more options, visit https://groups.google.com/d/optout. > > > -- > Raymond Rodgershttp://www.badlucksoft.com/http://anevilgeni.us/ > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Android Developers" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/android-developers/C5u2uQTdKGk/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > android-developers+unsubscr...@googlegroups.com. > To post to this group, send email to android-developers@googlegroups.com. > Visit this group at https://groups.google.com/group/android-developers. > To view this discussion on the web visit > https://groups.google.com/d/msgid/android-developers/fc6ad07a-9989-f731-0c88-665206669494%40badlucksoft.com > <https://groups.google.com/d/msgid/android-developers/fc6ad07a-9989-f731-0c88-665206669494%40badlucksoft.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-developers+unsubscr...@googlegroups.com. To post to this group, send email to android-developers@googlegroups.com. Visit this group at https://groups.google.com/group/android-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/android-developers/CAHxu9EqnsotQwHWjShi6n9bVt4Lgvr11MSbEyf%2BXDPSgW2pTQw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
