The docs specifically mentions two interesting things (from brief reading):
1 - The work is done by Android Market app, which has higher privileges.
Exactly what those privileges are isn't spelled out, but it sort of
sounds like the stuff that would be easy to break by examining the
library source code is embedded in a binary app.
2 - The library basically works by sending authorization requests to
Android Market app over IPC. This sounds to me (although I'm not
security expert by any means) again, like a more secure setup compared
to embedding all the authorization code in the library (and the
application itself).
As for rooted devices: it either works, or it doesn't. If it works,
great. If it doesn't, I hope there a way to detect failure. Personally,
I've had issues with my apps on rooted devices.
More broadly: there seems to be a certain category of users who do
everything they can to ruin their Android experience - they install
rooted firmware, task killers, memory optimizers, etc. and then wonder
why entire Android subsystems stop working. I'm not too worried about
supporting them.
-- Kostya
27.07.2010 22:42, Raymond C. Rodgers пишет:
On 7/27/2010 2:31 PM, Shane Isbell wrote:
The implementation that Google offers also embeds code, which is
inherently insecure but the docs also says: "For example, a
copy-protected application cannot be downloaded from Market to a
device that provides root access" This would limit the ability of
people to pull off the application off of a rooted device. Is it
possible for third-parties to detect if it is a rooted device?
I'm not sure that this is inherently insecure. Yes, it does use
libraries and a public key that will be embedded in the application,
but public keys are designed to be shared. All the client side is
doing is verifying information encrypted with the private key which
isn't accessible, and providing that information to the application
for it to manage as the developer decides. I may not have my security
"A" game going today, but that sounds reasonably secure to me. The
private key isn't even made available to the developer as I understand
it, so the developer doesn't really have the option of shooting
themselves in the foot with it.
As for detecting rooted devices... I have no idea. :-)
Raymond
--
Kostya Vasilev -- WiFi Manager + pretty widget -- http://kmansoft.wordpress.com
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
