Is self-signed cert a "hard" requirement? It's kind of unusual. In my mindset, self-signed certs should be used in pre-prod environments only. The whole idea of CA is that everybody knows and trusts them and relies on them when something needs to be verified about a less known 3-rd party. It makes possible to store few trusted CA in all relying apps (e.g. browsers) instead of millions 3-rd parties that you might to connect to.
I still need to think if this is really a problem in the mobile world. On Jan 16, 8:31 pm, Brian Carlstrom <b...@google.com> wrote: > On Sat, Jan 14, 2012 at 8:30 AM, Oleg Gryb <oleg.g...@gmail.com> wrote: > > Is there any way to verify an Android's application signature's > > signer? By this I mean that I need to check if an application was > > signed by an organization that I trust to and that all public > > certificates in the chain representing this organization are valid. > > No, applications are signed by self signed certificates, not utilizing > certificate chains with public CAs as roots. > > -bri -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to android-security-discuss@googlegroups.com. To unsubscribe from this group, send email to android-security-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
