On Wed, Dec 7, 2011 at 8:12 PM, lodewijk andré de la porte <lodewijka...@gmail.com> wrote: > I'm afraid "far more effective" just doesn't cut it. Android has "install > .APK from third party sources" which you'll engage whenever you install an > APK without using the market, trusted or not. You can just put you malware > on the market though, they can then pull it back off 'n all but just package > it in "Sexy asian girls #1283" and the like with different accounts > everytime. You're still in a bit of a sandbox though, can't help that > (although some do say it's not worth that much).
You misunderstand. The Android code signing model isn't intended to protect you from installing malware: it's intended to help Android a) provide isolation between apps from different sources, b) protect your apps from untrusted updates. To protect you from initially installing or running malware requires something other than code signing. The most code signing can do to protect you from initially installing malware is to limit you to running software from "trusted" sources, but only if you're willing to let someone else (e.g., Apple) decide who is trusted and who isn't. Nico -- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography