On Thu, 19 Jan 2012 15:32:49 -0800 Subbu Srinivasan wrote: >> No-This cannot be manual. We need a reputation mechanism built into >> android mkt place, the android installer would check against this and >> suggest any course of action.
>"social web of trust". brilliant idea, actually. That's the best for the General Public and gpg is perfect for that when streamlined for the purpose (arch linux have just started signing their packages with it) but with things to bear in mind. An app may seem fine, the malware may wait untill a specific date or 6 months after install or likely be undetectable to the average or even advanced user. Credit card data theft is often used 6 months later to make it harder to find the source of the problem and maybe collect extra credit cards. The ultimate trust award would be Source code verified but if you didn't build it, then it could still be dodgy. I guess source code verified and built by Google would be top notch trust rating as long as you trust Google of course, many don't, it seems. Google is odd, it has some brilliant virtues and ethos but is also an advertiser with broad brush statements from the top not helping. Googles self-signed cert in the market app could be used to verify that the verified by Google binary blob did come from google. This would promote open source but unfortunately may affect android as ignorance is bliss and most apps are not open source. Maybe google could attribute source to a user and an app that is too similar in code terms be rejected from the ring of trust? If do-able maybe that would be best for users and developers?? One ring to rule them all and in the darkness bind them! -- Kevin Chadwick -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
