That doesn't make any sense, does it?
On Tue, Jul 3, 2012 at 10:52 PM, Nikolay Elenkov <[email protected]>wrote: > On Wed, Jul 4, 2012 at 2:44 PM, Nikolay Elenkov > <[email protected]> wrote: > > Apparently this never made it to the list, forwarding. > > > > ---------- Forwarded message ---------- > > > > On Thu, Jun 28, 2012 at 3:15 PM, Nikolay Elenkov > > <[email protected]> wrote: > > > > > It seems that this is actually baked into the PackageManagerService > > and the DefaultContainerService and APKs are decrypted on the fly > > as needed. You can install encrypted APKs using adb install > > (which just calls pm install), but you need to specify the key/IV, so > > the app is decrypted before being installed. > > > ... > > > > This still leaves the question where the encryption key is stored > > (most probably in the keystore) and who generates it (Play Store > > based on device+user ID, or the device itself). > > And looking into this a bit more, it looks like the Market/Play is sending > you an encrypted APK, along with the encryption parameters (probably not > in the same message, but haven't looked in detail). So it's actually > decrypted > and/or verified (by PackageManagerService and friends) before being > installed > on the device. The actual APK saved on disk is not encrypted, so it works > just > as before and no keys are saved on the device. This certainly does > not stop anyone with a rooted devices from pulling the APK from the device. > > Maybe this will change in the future, but not sure what the merit is > in the current form (aside from making it harder to intercept an APK > download and use it on some other device). > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
