You're absolutely right, there is no any reason to discuss that. It just some opinions were rather unusual in my view and I wanted to understand why. I should admit that still don't have an answer for that "why" question.
Anyway, what I really want to know is the answer for a) on David's list: 1. Can I publish an app on Android market if it's signed with a non self-signed cert? Brian, if you're still around, please take a look. I think you said no, but then David mentioned that it's probably not correct. I know that traditional Java jarsigner is used to sign apk files, so I should not have problems with that, but what about publishing on Android market? There is a sign that it might work: PackageManager returns an array of certificates, not just a single one, in the call that I've mentioned before. It makes me think that it might understand chains. pm.getPackageInfo(info.packageName,PackageManager.GET_SIGNATURES).signatures <--- this is an array of certificates. Thanks. On Jan 19, 9:16 am, Subbu Srinivasan <[email protected]> wrote: > Not sure why we are debating self signed vs signed by CA. PKI is modelled > after real world procecees (Try printing your own ID card against a govt > issued one). > There is a reason why well used apps (like browser) warns users about > certificates that it cannot trust. Sure it does not eliminate problems like > malware etc, but makes the > problem more manageable. Perhaps a app validating mechanism coupled by a > community driven reputation score would help,. > > PKI has both strengths and weaknesses, the weakness being that end users > sometime do not understand how the mechanism works and end up blindly > accepting SSL connections. > > On Thu, Jan 19, 2012 at 4:40 AM, Kevin Chadwick <[email protected]>wrote: > > > > > > > > > On Wed, 18 Jan 2012 17:05:30 -0800 (PST) > > Oleg Gryb wrote: > > > > There are 180M websites in the world. Do you suggest to put 180M self- > > > signed certificate to a browser? Good luck with that and with > > > implementing CRL logic around it. > > > There are 500,000 android apps, the number of publishers is probably > > > smaller, but still I would not want to deal with each and every self- > > > signed certificate trying to understand if: > > > > 1. I want to trust it > > > 2. If it's associated with a malware > > > 3. If its private key has been compromised > > > > Thanks, but no, I don't want to be in this business. > > > I was merely explaining that your statements about self-signed were > > wrong and you seem to have misread what I said though I had been awake > > for > 36 hours when I wrote it, which was apps are different but now > > it's been brought up how many websites do you actually care about an > > assured secure connection for. On Linux app source is signed by authors > > via gpg which is more secure but less likely than using a signed repo. > > > There is a major argument that EV reduces security because people see a > > green light (aside from spoofing especially with modern browsers since > > that paper), rather than checking manually and considering if they > > TRUST, perhaps googling it. > > > Similar is true for Markets, more so Apples than Androids because > > they advertise that they audit it, though they can't of course. > > > I'd like to see a phone still working after 500,000 apps are > > installed, they won't fit and your phone will probably have a > > saturated connection sending spam. There is no way around the fact that > > a user has to research an app with the only guarantee being checking the > > source code. There is a business there, but is it viable?? What are you > > trying to do? > > > -- > > You received this message because you are subscribed to the Google Groups > > "Android Security Discussions" group. > > To post to this group, send email to > > [email protected]. > > To unsubscribe from this group, send email to > > [email protected]. > > For more options, visit this group at > >http://groups.google.com/group/android-security-discuss?hl=en. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
