If a cert must be self-signed as Brian has mentioned, then I don't think that I can do much except storing all public keys for all trusted parties. If the same party uses more than one key then I would need to store all of them and this is what I was trying to avoid, apparently with no luck so far.
To your point about necessity of CA, please check my answer to Brian. While I do have a strong opinion about in Enterprise and traditional web app world (i.e. self-signed certs should not be used in prod), I don't have such a strong opinion in the mobile world yet, except that it does create inconvenience that I've described above (need to store all public keys for the same party). On Jan 17, 3:36 am, Kevin Chadwick <ma1l1i...@yahoo.co.uk> wrote: > On Mon, 16 Jan 2012 20:31:20 -0800 > > Brian Carlstrom wrote: > > On Sat, Jan 14, 2012 at 8:30 AM, Oleg Gryb <oleg.g...@gmail.com> wrote: > > > > Is there any way to verify an Android's application signature's > > > signer? By this I mean that I need to check if an application was > > > signed by an organization that I trust to and that all public > > > certificates in the chain representing this organization are valid. > > > No, applications are signed by self signed certificates, not utilizing > > certificate chains with public CAs as roots. > > > -bri > > And if you think about it, checking the authors signature is more > secure because unless the third party verifies the code which is often > closed source then all you would be achieving is increasing the attack > surface by including the CA as well as the authors systems (source). No > matter what you do you *MUST* verify and trust the author. > > Apples method of preventing the obvious is questionable at best and may > lead to a false sense of security and likely has more to do with Apples > want for Control which is probably why they have less market share than > they should with a better OS than Windows as the hardware was > Controlled, like Sony Phones until recently. > > -- > Kc -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to android-security-discuss@googlegroups.com. To unsubscribe from this group, send email to android-security-discuss+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
