On Mon, 16 Jan 2012 20:31:20 -0800 Brian Carlstrom wrote: > On Sat, Jan 14, 2012 at 8:30 AM, Oleg Gryb <[email protected]> wrote: > > > Is there any way to verify an Android's application signature's > > signer? By this I mean that I need to check if an application was > > signed by an organization that I trust to and that all public > > certificates in the chain representing this organization are valid. > > > > No, applications are signed by self signed certificates, not utilizing > certificate chains with public CAs as roots. > > -bri >
And if you think about it, checking the authors signature is more secure because unless the third party verifies the code which is often closed source then all you would be achieving is increasing the attack surface by including the CA as well as the authors systems (source). No matter what you do you *MUST* verify and trust the author. Apples method of preventing the obvious is questionable at best and may lead to a false sense of security and likely has more to do with Apples want for Control which is probably why they have less market share than they should with a better OS than Windows as the hardware was Controlled, like Sony Phones until recently. -- Kc -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
