(and why doesn't this group have a Reply-To header again?) On Tue, Jul 17, 2012 at 4:07 AM, Jeff Enderwick <[email protected]> wrote: > And also what kind of key this is. For example, if there is a per-device > public key, it would be nice from an enterprise POV to be able to use this > same feature for enterprise/side-loaded apps. > > > On Mon, Jul 16, 2012 at 11:08 AM, Dru <[email protected]> wrote: >> >> Thanks for the extra info Nikolay. Has anyone found where the key is >> stored as that seems pivotal to the entire security. Also, it seems the >> protection will fall apart on a rooted device where the package can be >> easily repackaged without the encryption and then redistributed. >> >> On Sunday, July 15, 2012 7:30:17 AM UTC-7, Nikolay Elenkov wrote: >>>
This thing is not exactly new -- apps moved to the SD card were stored in a encrypted container and loopback mounted since Froyo (IIRC). This is using the exact same key. The new thing is that the container is now EXT4 instead of FAT, which obviously allows for permissions and makes 'forward locking' possible. JB code uses this exact same key (AES 128 bit) and there is really nothing special about it, except that it is usable only by the system user. Any enterprise/secure/etc. ROM can generate their own 'system' key and use it for similar purposes. As Tim says, the cool thing about the whole encrypted apps/forward locking is that it is a OS feature, not a Market/Play Store/whatever proprietary feature. Any system app can use it, so you can build your own enterprise app distribution scheme/secure app market/whatever and get the same level of protection. Now that the system has (some) support for hardware security devices you could lock it even tighter if you wanted without too much OS modifications (and your devices have the necessary hardware, of course). Apps have to be loaded at some point to be usable though, so if you have root on a running device, there would always be some way to pull/dump them. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
