I can't speak for Apple's situation, but not using SSL/HTTPS leaves
security and safety very vulnerable. What you're doing, though you seem
to be doing it for a positive reason, is essentially a man in the middle
attack: you're intercepting traffic, with the intent of caching the
packages for speed purposes, but what's to stop someone else from
replacing a particular package with a modified version that infects the
downloading device with malware or constant advertising? While it might
be difficult or impossible to fake the the signature of the "safe"
version of the package, the metadata telling you the correct signature
could be faked as well, thus giving rise to an otherwise legitimate
looking package. Encryption was developed to both keep private data
private and to prevent man in the middle attacks. This is usually
considered a good thing.
Even assuming it was perfectly safe and allowed for you to cache the
packages, there are other questions and issues to be considered: How
would you check to see if you needed to update the cached package? How
often would you check? How would you verify that the downloaded package
isn't corrupt or compromised or is even the latest version? What's
stopping a malicious attacker from compromising your server and altering
or removing your cached applications? Do you have enough storage space
for all the applications that your users want to download?
I can't speak for what Apple is or isn't doing. I'm not an Apple
developer and I don't own an iOS device, but I can tell you that I
certainly wouldn't want my app or my data transmitted without
encryption. Maybe the lack of encryption there is a design flaw, an
error or oversight in code or configuration, a deliberate design choice
for your region, or the result of an attack that they haven't detected
yet, but given the walled nature of Apple's app ecosystem, I would be
very surprised that they decided to just transmit the package over plain
HTTP.
On 05/18/2016 03:35 AM, Tourism SecondGuide wrote:
I'm just surprised that Apple consider http application download
enough secured. They usually are very sensitive to security problems.
And anyway, https application downloading is a big problem in lot of
cases.
2016-05-17 22:12 GMT+02:00 Raymond C. Rodgers <raym...@badlucksoft.com
<mailto:raym...@badlucksoft.com>>:
What about the device and possibly user account information that might
get transmitted as part of the download process? Encrypting the
package
while leaving meta data exposed will not help keep the application,
device, or user account secure.
On 5/17/2016 2:27 AM, Tourism SecondGuide wrote:
> A better solution would be to secure the package
>
> Le samedi 14 mai 2016 18:03:40 UTC+2, bjv a écrit :
>
> So what you are saying is that Apple is better because they
enable
> a MITM attack against your apps when being downloaded, perhaps
> letting criminals replace your app with their modified one?
>
> --
> You received this message because you are subscribed to the Google
> Groups "Android Developers" group.
> To unsubscribe from this group and stop receiving emails from
it, send
> an email to android-developers+unsubscr...@googlegroups.com
<mailto:android-developers%2bunsubscr...@googlegroups.com>
> <mailto:android-developers+unsubscr...@googlegroups.com
<mailto:android-developers%2bunsubscr...@googlegroups.com>>.
> To post to this group, send email to
> android-developers@googlegroups.com
<mailto:android-developers@googlegroups.com>
> <mailto:android-developers@googlegroups.com
<mailto:android-developers@googlegroups.com>>.
> Visit this group athttps://groups.google.com/group/android-developers.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/android-developers/392d51b7-25ac-495f-9bc4-ee43b466356e%40googlegroups.com
>
<https://groups.google.com/d/msgid/android-developers/392d51b7-25ac-495f-9bc4-ee43b466356e%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visithttps://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in
the Google Groups "Android Developers" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/android-developers/C5u2uQTdKGk/unsubscribe.
To unsubscribe from this group and all its topics, send an email
to android-developers+unsubscr...@googlegroups.com
<mailto:android-developers%2bunsubscr...@googlegroups.com>.
To post to this group, send email to
android-developers@googlegroups.com
<mailto:android-developers@googlegroups.com>.
Visit this group at
https://groups.google.com/group/android-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/android-developers/573B7B24.3040003%40badlucksoft.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to android-developers+unsubscr...@googlegroups.com
<mailto:android-developers+unsubscr...@googlegroups.com>.
To post to this group, send email to
android-developers@googlegroups.com
<mailto:android-developers@googlegroups.com>.
Visit this group at https://groups.google.com/group/android-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/android-developers/CAHxu9Eo2tQdQDc-VFVZVN%3DSmM9faW9%2BPSSMRnfmH_UV-JKQL8g%40mail.gmail.com
<https://groups.google.com/d/msgid/android-developers/CAHxu9Eo2tQdQDc-VFVZVN%3DSmM9faW9%2BPSSMRnfmH_UV-JKQL8g%40mail.gmail.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
Raymond Rodgers
http://www.badlucksoft.com/
http://anevilgeni.us/
--
You received this message because you are subscribed to the Google Groups "Android
Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to android-developers+unsubscr...@googlegroups.com.
To post to this group, send email to android-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/android-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/android-developers/fc6ad07a-9989-f731-0c88-665206669494%40badlucksoft.com.
For more options, visit https://groups.google.com/d/optout.
