I may have misinterpreted. Presumably there's a checksum of the APK data in the signed certificate. I would assume (hope) that's a cryptographically strong checksum. (If not, the entire Android platform is in jeopardy.)
If one wants a sure "signature" (in a generic sense) that uniquely and reliably identifies a SPECIFIC version of code, that cryptographic checksum would be what you want (though I don't know how you'd access that). Otherwise, the public key (which Diane has finally explained is what the package "signature" is) is a secure, reliable way to identify the publisher (and, with the package name, the specific app (though not it's version)). There's no point in creating a separate CRC32 over the app, to use as an identity to send back to a server or whatever. On Oct 8, 6:21 am, Mark Murphy <mmur...@commonsware.com> wrote: > What CRC32 checksum? > > Trevor Johns, in a discussion of LVL, offered up CRC32 as a means of > helping detect tampering, but that was simply an example. Otherwise, I > am coming up with zero references to the use of CRC32 with respect to > APKs. > > Do you have a pointer to somewhere in the open source code where they > are using a CRC32 checksum in this fashion? > > Thanks! > > On Fri, Oct 8, 2010 at 7:12 AM, DanH <danhi...@ieee.org> wrote: > > What I mean is that if the bad actor can manipulate the apk bytes > > while still maintaining the same checksum, then the whole scheme is > > insecure -- there's no point in having it signed. A CRC32 checksum is > > easily spoofed -- the apk bytes need to be checksummed with a > > cryptographic checksum of some sort. > > -- > Mark Murphy (a Commons > Guy)http://commonsware.com|http://github.com/commonsguyhttp://commonsware.com/blog|http://twitter.com/commonsguy > > Warescription: Three Android Books, Plus Updates, One Low Price! -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
