On Tue, Oct 9, 2012 at 7:33 PM, Jakob Bohm <[email protected]> wrote: > On Wednesday, October 10, 2012 12:45:56 AM UTC+2, Jeffrey Walton wrote: >> >> [SNIP] > >> You should also look at the threat model. [Partially] signed APKs only >> provide the ability to update a previously published APK. The APK can >> be updated *IFF* it was previously published under the same signing >> key. In essence, the threat here is the bad guy will be able to >> provide an update to a good guy's code (which can be farily >> troublesome). Due to the signing model and process, there is no >> effective identity assurances for the users of the APK. So we will >> never really know who the good guy or bad guy is/was. > > There is an additional identity binding: When an apk is uploaded to > Google Play, the uploaded APK, and thus its embedded key, is bound > to the Google account of the developer who uploaded the APK, and this > identity is presented to the end user before the initial download. The developer can put nearly any information he/she wishes in the account, including fictitious information.The information is not checked. (The assurances on the relationship are similar to what we have with non-EV certificates due to the race to the bottom.)
There are other distribution points and methods besides Goggle Play. One can upload to any number of Application Stores: https://www.google.com/search?q=android+alternate+application+stores. Or, I can deliver it over SneakerNet and ask you to install via `adb install <my program>`. Plus, I can sign with the well known ANDROID DEBUG key. The program will run just fine. Self signed developer certificates were a design decision intended to remove the barrier of entry. The only thing the signature is good for is updates to published APKs. And as you pointed out, 1024-bit with MD5 (the docs tell us to use MD5withRSA) means both the good guy and bad guy will be able to update them. Jeff -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
