What is that ultimate goal?
1) We are trying to protect the end user from apps that do naughty things?
2) So how can the app be trusted?
- People associate implicit trust with a brand - I trust angry bird app
(for whatever reasons the brand increased in value)
- People trust an app where there is no brand yet- Early adopters,
pioneers etc.
3) From a technology perspective-
- PKI based signature is one mechanism that can provide some amount of
confidence-Agreed that this not a panacea. Just because it was signed by a
certificate issued by a CA does not make
the app inherently safe.
>From Android perspective:
- The list of permissions is granular enough from an app permission
perspective, but it is completely too complex for an average grandma. We
need some way to tie these permissions to a threat level.
For eg:
ACCESS_NETWORK_STATE<http://developer.android.com/reference/android/Manifest.permission.html#ACCESS_NETWORK_STATE>may
have lower level compared to
CALL_PHONE<http://developer.android.com/reference/android/Manifest.permission.html#CALL_PHONE>
.
- When an app is installed the threat level of the app gives some sort of
indication. If I have enough trust with the app, the user will approve. If
there is not trust, we need to have some mechanism that
Android installer will check against a reputation DB and provides enough
warning to users.
- Android needs some of sort of monitoring process on the device that
monitors app activity and provides some sort of event logs to track
activity that can be nefarious.
- Maybe google does not want to be in the business of code review, but it
is an opportunity to outsource this to certified vendors(of course I have
not given thought on how the vendors can monetize this)
I am not sure whether Android has a revocation mechanism where all apps can
be disabled by google from their internal infrastructure- Apple can
presumably do this using some mechanism tied around
certs.
On Fri, Jan 20, 2012 at 3:41 AM, Kevin Chadwick <ma1l1i...@yahoo.co.uk>wrote:
> On Thu, 19 Jan 2012 14:54:01 -0800 (PST)
> Oleg Gryb wrote:
>
> >>self-signed cert is not a "hard"
> >>requirement, but rather a questionable practice and in this regard,
> >>The whole idea of CA is that everybody knows and trusts them and
> >>relies on them when something needs to be verified about a less known
> >>3-rd party.
>
> This is what yanked my chain. It has nothing to do with trust it simply
> helps you to know that you are connecting or receiving data from a
> source (domain) that you must verify yourself. CAs help with websites
> not with trust of the site (ignore EV) but that your connection is to
> that domain, this is very different from apps especially where an app
> may be spoofed via a similar name. Maintaining a personal list of
> trusted authors would be better.
>
>
> > So each time when somebody wants to connect to a new website you
> > suggest to check it manually, probably by googling or by cheeking an
> > author's background. Interesting approach, but I think, it'll hardly
> > work for 99% of people including myself.
> >
>
> In fact you should consider if you trust a website before connecting
> in plain text which is why emails are so dangerous because you don't
> choose the links your given. That is the case, just understand that you
> are running on luck and hopefully (*for you* and most likely) the
> malware is attacking others and not you except for your local
> resources. This is one of the reasons aside from I expect microsoft
> wanting you to upgrade your hardware and buy a new Windows as to why
> Windows slows down over time a lot more when it's an online machine.
> Did you know attackers disable other malware and patch the hole they
> used to get in before Microsoft as they want your resources to
> themselves without you reinstalling.
>
>
> > The same is true about mobile apps and yes, I do care about all 180M
> > web sites and 500,000 android apps simply because I have no idea which
> > website I'll need to visit tomorrow or which app to download to my
> > device. At the time when I need them, most likely I won't have time to
> > verify anything, so I'll need to rely on somebody or something, be it
> > Android market or a CA.
>
> You still haven't understood, websites and apps are very different.
> Security is all about specifics.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Android Security Discussions" group.
> To post to this group, send email to
> android-security-discuss@googlegroups.com.
> To unsubscribe from this group, send email to
> android-security-discuss+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/android-security-discuss?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To post to this group, send email to android-security-discuss@googlegroups.com.
To unsubscribe from this group, send email to
android-security-discuss+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
