James, If you compare it to the old DRM protection, it's actually pretty identical. Yes, everything inside of /dat/app-private were not accessible, though they dropped the res.zip into /data/app/ along side the other non-protected APKs.
As for the "in fact neither were the ones in /data/data" - right, everything inside of /data/data/packagename would not be world readable, other than the shared libraries. Though the whole APK, dex file/assets/etc, was readable via the /data/app/ directory. Why it isn't just readable to the system? I'm not sure, though I am positive that this is the same copy-protection as before, just in a shiny new location. -Tim Strazzere On Tue, Nov 6, 2012 at 1:26 AM, James S <[email protected]> wrote: > Thanks for the reply Tim. Yes I am looking at that area of the platform > and am aware of, and had looked at previously, the /data/app-private > folder, which I believe is specifically the location for forward locking > files prior to Jelly Bean. > > I think you meant "is for the assets to be read". But that's exactly where > my query lies. When these files were stored under /data/app-private these > files weren't so accessible, in fact neither were the ones in /data/data > (without forward locking enabled). There was no world read available. > > Whilst I appreciate the assets need to be available, they don't need to be > available to 'world', but surely only to the app itself and quite probably > the system. This could be achieved using access control (group and user) > without so widely available read permission. The caveat to this statement > is obviously - unless there is some other complexity I'm not aware of. > > Hence the question, any ideas WHY its world readable rather than being > more locked down? > > > > > > On Monday, November 5, 2012 11:31:52 PM UTC, strazzere wrote: >> >> (Arg, adding list to reply) >> >> Your looking at the Copy-Protection/DRM. >> >> Previously this was all located in "/data/app-private". The world >> readable-ness your seeing if for the assess to be read, though the >> classes.dex file is not accessable (nor is the cached odex file). >> >> -Tim Strazzere >> >> >> >> -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/android-security-discuss/-/54kbRi767c4J. > > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
