Mikel Artetxe <[email protected]> writes: > On Tue, Oct 28, 2014 at 6:26 PM, Benedikt Freisen > <[email protected]> wrote: > > Ok, I misunderstood that then. > > Another option: > - download the language pairs using the app (the way it's done > now) > - compute a hash value (e.g. SHA) and store it in app memory, > where it cannot be changed by other apps, but store the actual > data > on SD card > - refuse to use the data if the hash value does not match > > This option should allow for practically the same level of > security that > the app has now. > > > That's a good idea! But your schema would not be completely secure > unless you can somehow make sure that the bytecode is not modified in > its way from the server to the user's device (i.e. you should be > protected against man-in-the-middle attacks). This means that your > idea would work for the official android app (its language pairs are > stored in the svn repository -not a good idea BTW- and downloaded over > https), but not for Mitzuli.
You could sign the language pairs with your public key when uploading, have the public key in the app, let the app download both language pair and signature and check the signature. (Or you could download language pairs using https and pretend that the CA system is safe and that no one who's not authorised can upload bad pairs.) But the MITM issue is unrelated to the issue of storing on SD, isn't it? (That is, the MITM vulnerability is there regardless of whether you only support Android 4.4 or if you implement Benedikt's hash trick.) -- Kevin Brubeck Unhammer GPG: 0x766AC60C
signature.asc
Description: PGP signature
------------------------------------------------------------------------------
_______________________________________________ Apertium-stuff mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/apertium-stuff
