On Tue, Jul 27, 2010 at 11:53 AM, Trevor Johns <trevorjo...@google.com>wrote:
> On Tue, Jul 27, 2010 at 11:42 AM, Raymond C. Rodgers < > raym...@badlucksoft.com> wrote: > >> On 7/27/2010 2:31 PM, Shane Isbell wrote: >> >>> The implementation that Google offers also embeds code, which is >>> inherently insecure but the docs also says: "For example, a copy-protected >>> application cannot be downloaded from Market to a device that provides root >>> access" This would limit the ability of people to pull off the application >>> off of a rooted device. Is it possible for third-parties to detect if it is >>> a rooted device? >>> >> I'm not sure that this is inherently insecure. Yes, it does use libraries >> and a public key that will be embedded in the application, but public keys >> are designed to be shared. All the client side is doing is verifying >> information encrypted with the private key which isn't accessible, and >> providing that information to the application for it to manage as the >> developer decides. I may not have my security "A" game going today, but that >> sounds reasonably secure to me. The private key isn't even made available to >> the developer as I understand it, so the developer doesn't really have the >> option of shooting themselves in the foot with it. > > > In many ways, it's more secure to have the code embedded in the application > (which is why we designed the library this way). > Decompiling apk and removing the license checks - it's insecure once the apk leaves the device. If this is the assumption you are making for security, it's already been disproven many times within the android community. > If the license check was performed solely by the OS, an attacker could just > use a modified firmware image to bypass the checks for all applications on > the system. > > -- > Trevor Johns > Google Developer Programs, Android > http://developer.android.com > > -- > You received this message because you are subscribed to the Google > Groups "Android Developers" group. > To post to this group, send email to android-developers@googlegroups.com > To unsubscribe from this group, send email to > android-developers+unsubscr...@googlegroups.com<android-developers%2bunsubscr...@googlegroups.com> > For more options, visit this group at > http://groups.google.com/group/android-developers?hl=en > -- Shane Isbell (Founder of ZappMarket) http://apps.facebook.com/zappmarket/ -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
