In the official guide at http://developer.android.com/tools/publishing/app-signing.html it is strongly recommended that developers use self-signed certificates valid until the year 2034, but using cryptographic algorithms that are not even secure for use in the year 2012, specifically that page strongly recommends (almost insists) that signing should be done with a combination of MD5 (completely broken!), SHA-1 (mostly broken, deprecated) and 2048 bit RSA (the minimum key length for use in 2012, way too weak for 2033).
This raises two obvious questions: 1. Why hasn't that page been updated to reflect the "current" state of the art? 2. What are the maximum key and algorithm strengths supported by the apk verification code in different Android versions (For instance an apk that is supposed to be compatible with Android 2.1 devices is limited to whatever strength Android 2.1 can verify, but another apk that has a minimum system requirement of Android 3.0 anyway is only limited by whatever Android 3.0 and later can verify)? -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/sLPS2hYerMkJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
