On Wed, Jul 4, 2012 at 2:44 PM, Nikolay Elenkov <[email protected]> wrote: > Apparently this never made it to the list, forwarding. > > ---------- Forwarded message ---------- > > On Thu, Jun 28, 2012 at 3:15 PM, Nikolay Elenkov > <[email protected]> wrote:
> > It seems that this is actually baked into the PackageManagerService > and the DefaultContainerService and APKs are decrypted on the fly > as needed. You can install encrypted APKs using adb install > (which just calls pm install), but you need to specify the key/IV, so > the app is decrypted before being installed. > ... > > This still leaves the question where the encryption key is stored > (most probably in the keystore) and who generates it (Play Store > based on device+user ID, or the device itself). And looking into this a bit more, it looks like the Market/Play is sending you an encrypted APK, along with the encryption parameters (probably not in the same message, but haven't looked in detail). So it's actually decrypted and/or verified (by PackageManagerService and friends) before being installed on the device. The actual APK saved on disk is not encrypted, so it works just as before and no keys are saved on the device. This certainly does not stop anyone with a rooted devices from pulling the APK from the device. Maybe this will change in the future, but not sure what the merit is in the current form (aside from making it harder to intercept an APK download and use it on some other device). -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
