On Fri, Jul 6, 2012 at 7:24 PM, Kevin Chadwick <[email protected]> wrote: >> > on the device. The actual APK saved on disk is not encrypted, so it works >> > just >> > as before and no keys are saved on the device. This certainly does >> > not stop anyone with a rooted devices from pulling the APK from the device. >
Now that JB source is out, it turns out there is one more piece to the puzzle -- forward locking. If the 'forward lock' flag is set, an encrypted EXT4 container will be built for the app, and the app itself will be split into a public part (resource) readable by everyone and a private part (the actual APK), readable only by root. The whole thing is loopback mounted under /mnt/asec/package.name, just as it was done for apps moved to the SD card. So paid apps (or apps you installed via adb with the -l option) are indeed encrypted with a device-specific key when stored on the device. Which makes it slightly harder to pull the apk and will probably confuse some backup apps. adb backup seems to filter out forward-locked apks, so you only get the preferences and data files in the backup. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
