I second this. Please can we get some details on how this works. The only reference I can see on d.android.com is at the very bottom of this page http://developer.android.com/about/versions/jelly-bean.html:
Starting with Android 4.1, Google Play will help protect application assets > by encrypting all paid apps with a device-specific key before they are > delivered and stored on a device. So, the paid app's/game's assets are encrypted for the specific device. Assuming the package manager does not decrypt at install time (which would be a complete waste of time - discussed here<https://groups.google.com/forum/?fromgroups#%21topic/android-security-discuss/gfUeT6qJWUA>) we can assume that when the app loads, there's some new decryption routine in the resource or file system. Well, there are two problems: 1. I can just wait for the app to load and dump the RAM. 2. If they're smart and load/decrypt only chunks at a time, dumping RAM would be harder but still possible. There would be a performance hit here if there's constant decryption going on.. games will hate this. 3. The decryption key is somewhere on the device so it will be trivial to take the key, decrypt the assets, repackage the apk and redistribute to the world in unencrypted form. I can't see how it can work unless the OS has been modified (or will be) to only run encrypted apks... but they say it's only for paid apps so that's not the case either. So, yes, Android team, please answer the questions Dafu raises. Dru -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/w8aKEARgDkkJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
