Is self-signed cert a "hard" requirement? It's kind of unusual. In my mindset, self-signed certs should be used in pre-prod environments only. The whole idea of CA is that everybody knows and trusts them and relies on them when something needs to be verified about a less known 3-rd party. It makes possible to store few trusted CA in all relying apps (e.g. browsers) instead of millions 3-rd parties that you might to connect to.
I still need to think if this is really a problem in the mobile world. On Jan 16, 8:31 pm, Brian Carlstrom <[email protected]> wrote: > On Sat, Jan 14, 2012 at 8:30 AM, Oleg Gryb <[email protected]> wrote: > > Is there any way to verify an Android's application signature's > > signer? By this I mean that I need to check if an application was > > signed by an organization that I trust to and that all public > > certificates in the chain representing this organization are valid. > > No, applications are signed by self signed certificates, not utilizing > certificate chains with public CAs as roots. > > -bri -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
