And also what kind of key this is. For example, if there is a per-device public key, it would be nice from an enterprise POV to be able to use this same feature for enterprise/side-loaded apps.
On Mon, Jul 16, 2012 at 11:08 AM, Dru <[email protected]> wrote: > Thanks for the extra info Nikolay. Has anyone found where the key is > stored as that seems pivotal to the entire security. Also, it seems the > protection will fall apart on a rooted device where the package can be > easily repackaged without the encryption and then redistributed. > > On Sunday, July 15, 2012 7:30:17 AM UTC-7, Nikolay Elenkov wrote: > >> On Fri, Jul 6, 2012 at 7:24 PM, Kevin Chadwick wrote: >> >> > on the device. The actual APK saved on disk is not encrypted, so it >> works >> >> > just >> >> > as before and no keys are saved on the device. This certainly does >> >> > not stop anyone with a rooted devices from pulling the APK from the >> device. >> > >> >> Now that JB source is out, it turns out there is one more piece to the >> puzzle >> -- forward locking. If the 'forward lock' flag is set, an encrypted >> EXT4 container will be built for the app, and the app itself will be >> split into a >> public part (resource) readable by everyone and a private part (the >> actual APK), >> readable only by root. The whole thing is loopback mounted under >> /mnt/asec/package.name, just as it was done for apps moved to the SD >> card. >> So paid apps (or apps you installed via adb with the -l option) are >> indeed >> encrypted with a device-specific key when stored on the device. Which >> makes >> it slightly harder to pull the apk and will probably confuse some backup >> apps. >> adb backup seems to filter out forward-locked apks, so you only get the >> preferences and data files in the backup. >> > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/android-security-discuss/-/Gc2Ogo85-mkJ. > > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
