On Apr 5, 6:09 pm, Bob Kerns <[email protected]> wrote:
> Hashcode would not be secure. That is, you can construct an alternate > app+signature that would produce the same hash code. That may be good > enough for you, but I would discourage such a technique. However, you > could construct a secure SHA-1 hash of the value! The problem is, that every other application can also read this signature and produce hash out of it... > Unfortunately, the contract given for PackageManager does not even > guarantee that you'd get the same 979-character string consistently, > even for the same version of the same application. I'd be quite > surprised if you didn't. A more relevant question is if you get the > same value for two different versions of your app. If they include the > hash portion of the signature, and its encrypted counterpart, then the > answer is no. I checked - it was the same. Otherwise market app/installer would be unable to check whether you are upgrading existing application. > or user, yes, but application, no. Nothing in a .apk can be regarded > as secret. ... It would be cool feature request for android. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en To unsubscribe, reply using "remove me" as the subject.
