On Tue, 22 Nov 2011 19:17:39 -0800 (PST) Fernando T wrote: > Perhaps there is a better way to accomplish the same thing?
Someone may well know of an api? You could have a system which checks the signature, creates a sha256 of the apk and even signs the sha256 with your own private key if you like. If your checking installed apps their device could already be fscked and almost as likely not via an apk, despite the recent allegations of a 400% increase in trojans and I sure hope adobe don't make things worse by making html5 half as vulnerable as flash. A new web browser would be born of course, maybe xxxterm would proliferate. I also don't think sign checks will achieve much at all unless it is installed first and meant for particular apps. The web of trust is the real and difficult almost non computable issue, if it's not opensource you have to work out if the developer is who he says he is, his key is safe, his intentions are honourable and his view of honourable matches yours. The best thing would be source review and then a sha256 awarded a seal of approval. Of course your app or kernel could be undermined too especially with torvalds "a bugs a bug". Google please make a central kernel "SECURITY bug" centre that doesn't label everything as a denial of service, all of the Linux world would benefit. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
