I've never used Google Play, but it validates the signature for updates their as well as I understand it.
Like Jeffrey, I recommend you look at Nikolay Elenkov's blog entry on Android Code Signing: http://nelenkov.blogspot.com/2013/05/code-signing-in-androids-security-model.html I also recommend looking at the code in frameworks/base in an AOSP tree. -bri On Fri, May 10, 2013 at 7:34 AM, Sebastian Bachmann <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > So its just for ensuring upgradeability? > does the certificate information has any impact on google play? > > On 2013-05-10 16:23, Brian Carlstrom wrote: >> The certs are self signed, not issued by a public authority. They >> are used to validate on upgrade that the new apk came from the same >> source as the old apk. given that, the subject/issuer information >> isn't relevant, just the public key in the certificate. >> >> -bri >> >> On Fri, May 10, 2013 at 2:11 AM, Sebastian Bachmann >> <[email protected]> wrote: >>> But is there any enforcement of the signature policy in >>> practise? i dont know if signatures are in any time validated up >>> its chain? You can not install apps that are not signed, but is >>> there a check for known bad signatures? >>> >>> and if a developer is blocked by his sigtnature, he can easily >>> generate a new one. i see many apps that have this kind of >>> signature: >>> >>> Issuer: C=US, L=, S=, O=Android, OU=, CN=Android Debug, E= >>> Subject: C=US, L=, S=, O=Android, OU=, CN=Android Debug, E= >>> >>> so there are many people that dont even care about the >>> signature... >>> >>> >>> On Thu, 9 May 2013 19:06:46 -0400, Jeffrey Walton >>> <[email protected]> wrote: >>>> On Thu, May 9, 2013 at 3:37 PM, Keith Makan >>>> <[email protected]> >>> wrote: >>>>> At the moment I'm writing a bunch of white papers on android >>>>> security. As a result I've been trying to hunt down some >>>>> academic style papers on Android's Application Signing >>>>> mechanism, I have some high level understanding of how things >>>>> work---you know the whole .jar signing, public key, >>>>> cryptographic hash story---but I need a good set of academic >>>>> papers on the subject to reference. >>>> Well, one of the earliest papers that I know on Semantic >>>> Authentication is by Wagner and Scheier. "Analysis of the SSL >>>> 3.0 protocol," www.schneier.com/paper-ssl.pdf, 1996. >>>> >>>> Semantic Authentication (a.k.a the Horton Principal from >>>> 'Horton Hears a Who') states to authenticate what was meant, >>>> and not what was said. In the case of SSL encryption, that mean >>>> one should authenticate both the plaintext and padding (what >>>> was meant); and not just the plain text (what was said). >>>> Padding oracles FTW? >>>> >>>> In the case of Android code signing, it would be APK + >>>> Alignment (what was meant), and not select pieces of the >>>> components of an APK (what was said). As a practical example of >>>> the issue, consider a signature based scanner. Because the bad >>>> guy can arbitrarily change alignment, he/she can produce >>>> different thumbprints for the same APK. So an APK with align=4 >>>> may trigger the tripwire, but align=8 would pass unmolested. >>>> >>>> Nikolay Elenkov just wrote an *excellent* blog entry on Android >>>> Code Signing. See >>>> >>> http://nelenkov.blogspot.com/2013/05/code-signing-in-androids-security-model.html. >>>> >>>> >>> > For the academic treatments, Google is your friend: >>>> http://scholar.google.com/scholar?q=android+code+signing. >>>> >>>> Jeff >>> >>> -- You received this message because you are subscribed to the >>> Google Groups "Android Security Discussions" group. To >>> unsubscribe from this group and stop receiving emails from it, >>> send an email to >>> [email protected]. To post to >>> this group, send email to >>> [email protected]. Visit this group at >>> http://groups.google.com/group/android-security-discuss?hl=en. >>> For more options, visit >>> https://groups.google.com/groups/opt_out. >>> >>> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEcBAEBAgAGBQJRjQV1AAoJEAhgHfpCPcybvrAIAISuZJkD7v2eDyNP5XOexzcw > 1OO5HKSHy3QlvcaxLEz3ghe8sWxofB/QF5ugw5w537gcQH7AJ4YSFFCxLhPGbEmo > 0LEVHKvg+ti2gcWv6Hk20tB/nkIXB/itDFSdaAyLfF+RAIPd7wUbWKROqZNmA3ys > UWNlb1MTURelPQYqmrlIWrAO4x80ISbFkUKJmnvk92NrsfeBAQNx/aPrpvB+n6PC > vA1OzX6IfZgb99JjmtYGWLqJlXNk0PfvWjhl3qntmK9+KujByQmFEiaMpvx5+Utl > vLiOUJd5BQOtihqyMqdwSnC2x2WZjRDI6mX1z4xlOzRNv4cuBoSFmPQCbYRAv5Q= > =2hEO > -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
