No-This cannot be manual. We need a reputation mechanism built into android mkt place, the android installer would check against this and suggest any course of action.
On Thu, Jan 19, 2012 at 3:09 PM, Oleg Gryb <[email protected]> wrote: > You're absolutely right, there is no any reason to discuss that. It > just some opinions were rather unusual in my view and I wanted to > understand why. I should admit that still don't have an answer for > that "why" question. > > Anyway, what I really want to know is the answer for a) on David's > list: > > 1. Can I publish an app on Android market if it's signed with a non > self-signed cert? > > Brian, if you're still around, please take a look. I think you said > no, but then David mentioned that it's probably not correct. I know > that traditional Java jarsigner is used to sign apk files, so I should > not have problems with that, but what about publishing on Android > market? > > There is a sign that it might work: PackageManager returns an array of > certificates, not just a single one, in the call that I've mentioned > before. It makes me think that it might understand chains. > > > pm.getPackageInfo(info.packageName,PackageManager.GET_SIGNATURES).signatures > <--- this is an array of certificates. > > Thanks. > > > On Jan 19, 9:16 am, Subbu Srinivasan <[email protected]> wrote: > > Not sure why we are debating self signed vs signed by CA. PKI is modelled > > after real world procecees (Try printing your own ID card against a govt > > issued one). > > There is a reason why well used apps (like browser) warns users about > > certificates that it cannot trust. Sure it does not eliminate problems > like > > malware etc, but makes the > > problem more manageable. Perhaps a app validating mechanism coupled by a > > community driven reputation score would help,. > > > > PKI has both strengths and weaknesses, the weakness being that end users > > sometime do not understand how the mechanism works and end up blindly > > accepting SSL connections. > > > > On Thu, Jan 19, 2012 at 4:40 AM, Kevin Chadwick <[email protected] > >wrote: > > > > > > > > > > > > > > > > > On Wed, 18 Jan 2012 17:05:30 -0800 (PST) > > > Oleg Gryb wrote: > > > > > > There are 180M websites in the world. Do you suggest to put 180M > self- > > > > signed certificate to a browser? Good luck with that and with > > > > implementing CRL logic around it. > > > > There are 500,000 android apps, the number of publishers is probably > > > > smaller, but still I would not want to deal with each and every self- > > > > signed certificate trying to understand if: > > > > > > 1. I want to trust it > > > > 2. If it's associated with a malware > > > > 3. If its private key has been compromised > > > > > > Thanks, but no, I don't want to be in this business. > > > > > I was merely explaining that your statements about self-signed were > > > wrong and you seem to have misread what I said though I had been awake > > > for > 36 hours when I wrote it, which was apps are different but now > > > it's been brought up how many websites do you actually care about an > > > assured secure connection for. On Linux app source is signed by authors > > > via gpg which is more secure but less likely than using a signed repo. > > > > > There is a major argument that EV reduces security because people see a > > > green light (aside from spoofing especially with modern browsers since > > > that paper), rather than checking manually and considering if they > > > TRUST, perhaps googling it. > > > > > Similar is true for Markets, more so Apples than Androids because > > > they advertise that they audit it, though they can't of course. > > > > > I'd like to see a phone still working after 500,000 apps are > > > installed, they won't fit and your phone will probably have a > > > saturated connection sending spam. There is no way around the fact that > > > a user has to research an app with the only guarantee being checking > the > > > source code. There is a business there, but is it viable?? What are you > > > trying to do? > > > > > -- > > > You received this message because you are subscribed to the Google > Groups > > > "Android Security Discussions" group. > > > To post to this group, send email to > > > [email protected]. > > > To unsubscribe from this group, send email to > > > [email protected]. > > > For more options, visit this group at > > >http://groups.google.com/group/android-security-discuss?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
