The silence in the thread scares me. Does anyone knowledgeable have an answer to Tote's question?
Is the totality of Android API protection based solely on the idea that self-signing out of self-generated certificates is trustworthy? No chain of trust? No identity escrow? No skin in the game of any sort whatsoever to be able to track down the originator of a rogue app? No validation that someone with bad intentions isn't self-signing an innocuous-looking application that gets on marketplace but that triggers bad behavior after it's been widely installed? Please tell me that the effectiveness of Android's API security model isn't purely based on crowdsourcing and user-generated feedback... -jfr Dave, Thanks for the exhaustive answer and I naturally appreciate Google's decision on working out this security model. Nevertheless, you seemed not to answer one of the important questions I also asked: "Another question is that if any developers can sign their apps freely without any consequences (I mean there's no accountability on self- signed certificates) what will really prevent malware from spreading? " That is, if I were a malware author it wouldn't give me too much head- ache to change my self-signed certificates frequently - and I don't want to update my previous app, either. What is Google's approach to this problem? Thanks, Tote On Feb 5, 3:02 am, Dave Bort <[email protected]> wrote: ________________________________________________ Message sent using UebiMiau 2.7.10
