Well, of course it works. But it won't provide much value. Why? Because Android's security model (which I like) allows you installing Apps that may do potentially bad things without corrupting the OS. One such bad thing is (for example) using keys of other Apps to do "background transactions".
The only way to thwart that without completely revising the security model is to "tag" keys in such a way that only apps specified by the issuer will be allowed using a specific key. This is only possible if you integrate the key handling in the OS itself. It also requires a way to describe and issue "tagged" keys. Other features needed are trusted path PIN input which is about a key attribute telling that that a key can only be unlocked by a PIN going through a trusted path of the OS. That is, even if you steal a PIN through a spoofed GUI, you wouldn't be able to use it except through physical access to the device. Pardon for being a PITA but mobile phones should IMO not inherit all the legacy c**p we have in desktop systems. Anders Rundgren -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
