On 7/27/2010 2:53 PM, Trevor Johns wrote:
On Tue, Jul 27, 2010 at 11:42 AM, Raymond C. Rodgers
<raym...@badlucksoft.com <mailto:raym...@badlucksoft.com>> wrote:
I'm not sure that this is inherently insecure. Yes, it does use
libraries and a public key that will be embedded in the
application, but public keys are designed to be shared. All the
client side is doing is verifying information encrypted with the
private key which isn't accessible, and providing that information
to the application for it to manage as the developer decides. I
may not have my security "A" game going today, but that sounds
reasonably secure to me. The private key isn't even made available
to the developer as I understand it, so the developer doesn't
really have the option of shooting themselves in the foot with it.
In many ways, it's more secure to have the code embedded in the
application (which is why we designed the library this way).
If the license check was performed solely by the OS, an attacker could
just use a modified firmware image to bypass the checks for all
applications on the system.
<http://groups.google.com/group/android-developers?hl=en>
Agreed. After I wrote my part above, I even thought of another
possibility... I haven't checked the API thoroughly, but it maybe
possible to store the public key on your own server, protected as you
see fit, then when you do your licensing checks, you download the public
key through whatever secure mechanism you feel is sufficient, do the
check, and then discard the public key.
Raymond
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
