On Thu, Oct 4, 2012 at 2:23 PM, Jakob Bohm <[email protected]> wrote: > In the official guide at > http://developer.android.com/tools/publishing/app-signing.html it is > strongly recommended that developers use self-signed certificates valid > until the year 2034, but using cryptographic algorithms that are not even > secure for use in the year 2012, specifically that page strongly recommends > (almost insists) that signing should be done with a combination of MD5 > (completely broken!), SHA-1 (mostly broken, deprecated) and 2048 bit RSA > (the minimum key length for use in 2012, way too weak for 2033). > > This raises two obvious questions: > > 1. Why hasn't that page been updated to reflect the "current" state of the > art? > > 2. What are the maximum key and algorithm strengths supported by the apk > verification code in different Android versions (For instance an apk that is > supposed to be compatible with Android 2.1 devices is limited to whatever > strength Android 2.1 can verify, but another apk that has a minimum system > requirement of Android 3.0 anyway is only limited by whatever Android 3.0 > and later can verify)? There's a bug report for that: "Keytool and Default Keysize for Signing Apps," https://code.google.com/p/android/issues/detail?id=35327.
A while back I tested a 3072 modulus on an HTC EVO 4G running Android 4.0 or 4.1 (all OK). I did not test on older versions. Jeff -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
