You should read up on CryptoMark, a Linux codesigning security system from Crispin Cowan (WireX) and others back in 2000. The basic idea is that the OS should require a certificate for any app/binary before executing it. I don't know if that would be viable on Android; maybe only install-time is viable on a mobile device.
I think Anurag's install-time check could be a great addition to the platform. Imagine if Android provided a "vouching service" API that third-parties could use to distribute certificates for certain packages. Prior to installing an application, an Android device would make calls to vouching services registered on that device (think of this like 3rd-party Debian repositories) to check on the specific package, uniquely identified by name + version, or whatever makes sense. The vouching service would return at least two values: a boolean applicationIsBlacklisted, and a certificate (could be null if applicationIsBlacklisted is true). For unfamiliar applications, the vouching service would return a null certificate. if (!applicationIsBlacklisted) and a cert is returned, the Android client should verify the certificate before installing the app. This would benefit regular users and "enterprise" users. Enterprises could configure individual devices to only allow installing apps if they've been vouched for by certain vouching authorities. Authorities could range from trusted third parties like anti-virus software vendors to individual enterprises (maybe we don't want to allow games even if they're "safe"). Anybody, including regular individual customers, who wanted Apple-style gatekeeping could pay one or more vouching authorities to help them. Maybe some vouching authorities would offer service free to device owners, and be paid by the app developers. Certainly it would be a good idea for developers to submit APKs to vouching services prior to general release, to facilitate smooth upgrades. The main difference from Anurag's proposal is that the client would only need to fetch certs for specific apps. Less privacy but better performance. There should also be mechanisms for checking after the fact, like OCSP for SSL/TLS certs. This would allow vouching services to disable apps or require users to upgrade. Also it would be great if this could be used to disallow access to certain core apps. Sorry, Dianne, but there's a serious problem now with regard to platform updates. First it looks like Google isn't patching older OS versions (with common cell phone contracts lasting 2 years and handset vendors needing time to develop initial firmware, I think you should provide security patches for at least 3 years after an OS release). Second, between cell phone carrier control and manufacturers not bothering to produce major firmware updates, many regular end users are not getting timely updates to the OS. That means that the core apps are probably the most dangerous, since they're the only ones that can't be upgraded easily. -Peter On Mar 9, 12:24 pm, Dianne Hackborn <[email protected]> wrote: > No, the side-loading package install UI is > here:http://android.git.kernel.org/?p=platform/packages/apps/PackageInstal... > > If you much around with PackageManagerService, the core package management > of the system, you are going to break other things. > > And really, just don't much around with PackageManagerService at all. If > you absolutely need some feature there, at least contribute it as a patch so > we can review it and help make sure it doesn't break things. I have seen > too many devices now with broken behavior because the manufacturer messed > with PackageManagerService. It's a bad idea. > > > > On Wed, Mar 9, 2011 at 8:35 AM, Earlence <[email protected]> wrote: > > I can narrow it down for you > > > PackageManagerService > > installd > > > should be in one of these. > > > -Earlence > > > On Mar 9, 12:12 pm, Anurag <[email protected]> wrote: > > > Hi, > > > > Currently, Android's built-in application installer allows > > > installation of any 3rd party application (.APK), as long as the > > > application is digitally self-signed by the developer. I'm exploring > > > the possibility to customize Android's code-base where it would allow > > > only specific 3rd party applications to get installed, based on their > > > digital certificates. > > > > Essentially, the use case for this scenarios is: > > > > 1. During the application installation process (say downloading an > > > application from Android Marketplace) , Android's built-in > > > application installer compares the digital certificate of the > > > application which is being installed with a digital certificate that > > > is stored on the device. > > > > 2. If these certificates match, the installer installs allows the > > > application application to get installed. If not, the installer does > > > not allow the application to get installed. > > > > To do this, I'm trying to locate the code in the Android platform's > > > code-base where the installer performs the digital certificate check > > > during an application installation process. I guess this should be > > > located somewhere in the Framework layer source code, but am not > > > sure? > > > > I wasn't able to locate a reference that gives a detailed walk-through > > > of the Android platform code-base, hence this question. Any pointers > > > on this would be highly appreciated! > > > > Many thanks. > > > > Anurag > -- > Dianne Hackborn > Android framework engineer -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
