On Wed, 23 Nov 2011 10:21:27 +0000 Kevin Chadwick wrote: > The best thing would be source review and then a sha256 awarded a seal > of approval.
Of course the build date etc. would mean the sha256 wouldn't match so users would stil have to choose between trusting you (one person to audit) and the many devs, and why would the dev trust your package. A market could offer this as a paid for service or as a differentiator to gain traffic assuming their server security or procedures are good (rare). The profit margin would probably mean packages audited would need voting for like crossover games, there's also the issue of raising barriers to entry for new similar apps but I guess that's the point of it. I'd also hope that Androids security model almost guarantees trusted apps with network access can't execute downloaded content as tricks may be used to hide this in the source code. (I know it can't be doing everything possible here due to the ease and abundance of existing code that a large market share demands and so Java). Not a pretty picture is it, compared to Desktop unix-like and Linux systems. Buyer beware. It's probably worth bearing in devs mind that if your app just does what a web page can do (prism etc..) then you should atleast give a link too as the likelihood of users installing apps for say a single event is far less than them visiting a web page, atleast it should be and time will teach. ARM repos may become a real threat to Android, if they are not harnessed. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
