So the environments would let users install via side loading (which isn't OTA either), but not via adb pm install? That seems odd.
Though if that's the requirement, it would seem those environments would be SOL. -Tim Strazzere On Mon, Jul 16, 2012 at 12:49 PM, Jeff Enderwick <[email protected]>wrote: > Not gonna fly in any enterprise environment I know. It all has to happen > OTA. > > > On Mon, Jul 16, 2012 at 12:46 PM, Tim <[email protected]> wrote: > >> Sorry, are you saying an enterprise IT department couldn't use ADB to >> provision the device prior to giving it out? >> >> This might not work so well in BOYD, but if you wanted the enterprise >> app, hand it over to IT, let them enable ADB/install and disable ADB? >> >> -Tim Strazzere >> >> >> >> On Mon, Jul 16, 2012 at 12:39 PM, Jeff Enderwick < >> [email protected]> wrote: >> >>> Enterprise is typically devices from N carriers, no adb. User allows >>> side-loading via settings. >>> >>> >>> On Mon, Jul 16, 2012 at 12:10 PM, Tim <[email protected]> wrote: >>> >>>> All the source is there, you could use the package manager to push an >>>> application and forward lock it via ADB. Secondly, if you control the >>>> device and it's OS (can have a system signer) you could implement this via >>>> an application via the install_packages permission. >>>> >>>> That's the beauty of this being open source ;) >>>> >>>> -Tim Strazzere >>>> >>>> >>>> >>>> On Mon, Jul 16, 2012 at 12:07 PM, Jeff Enderwick < >>>> [email protected]> wrote: >>>> >>>>> And also what kind of key this is. For example, if there is a >>>>> per-device public key, it would be nice from an enterprise POV to be able >>>>> to use this same feature for enterprise/side-loaded apps. >>>>> >>>>> >>>>> On Mon, Jul 16, 2012 at 11:08 AM, Dru <[email protected]> wrote: >>>>> >>>>>> Thanks for the extra info Nikolay. Has anyone found where the key is >>>>>> stored as that seems pivotal to the entire security. Also, it seems the >>>>>> protection will fall apart on a rooted device where the package can be >>>>>> easily repackaged without the encryption and then redistributed. >>>>>> >>>>>> On Sunday, July 15, 2012 7:30:17 AM UTC-7, Nikolay Elenkov wrote: >>>>>> >>>>>>> On Fri, Jul 6, 2012 at 7:24 PM, Kevin Chadwick wrote: >>>>>>> >> > on the device. The actual APK saved on disk is not encrypted, >>>>>>> so it works >>>>>>> >> > just >>>>>>> >> > as before and no keys are saved on the device. This certainly >>>>>>> does >>>>>>> >> > not stop anyone with a rooted devices from pulling the APK from >>>>>>> the device. >>>>>>> > >>>>>>> >>>>>>> Now that JB source is out, it turns out there is one more piece to >>>>>>> the puzzle >>>>>>> -- forward locking. If the 'forward lock' flag is set, an encrypted >>>>>>> EXT4 container will be built for the app, and the app itself will be >>>>>>> split into a >>>>>>> public part (resource) readable by everyone and a private part (the >>>>>>> actual APK), >>>>>>> readable only by root. The whole thing is loopback mounted under >>>>>>> /mnt/asec/package.name, just as it was done for apps moved to the >>>>>>> SD card. >>>>>>> So paid apps (or apps you installed via adb with the -l option) are >>>>>>> indeed >>>>>>> encrypted with a device-specific key when stored on the device. >>>>>>> Which makes >>>>>>> it slightly harder to pull the apk and will probably confuse some >>>>>>> backup apps. >>>>>>> adb backup seems to filter out forward-locked apks, so you only get >>>>>>> the >>>>>>> preferences and data files in the backup. >>>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Android Security Discussions" group. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msg/android-security-discuss/-/Gc2Ogo85-mkJ >>>>>> . >>>>>> >>>>>> To post to this group, send email to >>>>>> [email protected]. >>>>>> To unsubscribe from this group, send email to >>>>>> [email protected]. >>>>>> For more options, visit this group at >>>>>> http://groups.google.com/group/android-security-discuss?hl=en. >>>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Android Security Discussions" group. >>>>> To post to this group, send email to >>>>> [email protected]. >>>>> To unsubscribe from this group, send email to >>>>> [email protected]. >>>>> For more options, visit this group at >>>>> http://groups.google.com/group/android-security-discuss?hl=en. >>>>> >>>> >>>> >>> >> > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
