As always, I don't speak for my employer or any of my employer's clients. On Mon, Aug 3, 2009 at 6:43 AM, juanfe<[email protected]> wrote:
> http://www.mail-archive.com/[email protected]/msg00193.html Have you tried this scenario recently, with Cupcake or the latest SDK? > http://www.mail-archive.com/[email protected]/msg00192.html http://developer.android.com/guide/topics/security/security.html Android's API safety comes primarily from the Permission system and from the user's informed decision to install a given application. Certificates cryptographically link Permissions to sources of code and optionally to a Linux UID. In any case, CAs do not provide any measure of trustworthiness. CAs were supposed to help people link online identities with real-world identities, which is a distinct thing. People seem to want to trust a central authority. That baffles me, given the performance of global, public CAs so far. (Google for "md5 considered harmful today" or "moxie marlinspike", or try to buy a certificate with the CN "email" and think about how bad it is that you were able to.) As security engineers we are trying to reduce the number of entities we have to trust, and the degree to which we have to trust them. Android's design helps users do both. Android's security design is very different from that of PC operating systems. The user interface tells the user what they need to know to decide if they want to trust the application with the stated Permissions. This design allows Android users to put a smaller amount of trust in their applications; by contrast, PC operating systems typically require users to fully trust their applications. Therefore trustworthiness is arguably less of an issue, since users place less trust in Android applications. I would therefore say that a key security research area -- the original poster was looking for something to do -- is to research how to divide privilege into distinct units, and how to most effectively communicate their meaning to users.
