On Thu, May 9, 2013 at 3:37 PM, Keith Makan <[email protected]> wrote: > At the moment I'm writing a bunch of white papers on android security. > As a result I've been trying to hunt down some academic style papers on > Android's Application Signing mechanism, > I have some high level understanding of how things work---you know the whole > .jar signing, public key, cryptographic hash story---but I > need a good set of academic papers on the subject to reference. Well, one of the earliest papers that I know on Semantic Authentication is by Wagner and Scheier. "Analysis of the SSL 3.0 protocol," www.schneier.com/paper-ssl.pdf, 1996.
Semantic Authentication (a.k.a the Horton Principal from 'Horton Hears a Who') states to authenticate what was meant, and not what was said. In the case of SSL encryption, that mean one should authenticate both the plaintext and padding (what was meant); and not just the plain text (what was said). Padding oracles FTW? In the case of Android code signing, it would be APK + Alignment (what was meant), and not select pieces of the components of an APK (what was said). As a practical example of the issue, consider a signature based scanner. Because the bad guy can arbitrarily change alignment, he/she can produce different thumbprints for the same APK. So an APK with align=4 may trigger the tripwire, but align=8 would pass unmolested. Nikolay Elenkov just wrote an *excellent* blog entry on Android Code Signing. See http://nelenkov.blogspot.com/2013/05/code-signing-in-androids-security-model.html. For the academic treatments, Google is your friend: http://scholar.google.com/scholar?q=android+code+signing. Jeff -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
