Re: [android-developers] Re: HTTPS access to PlayStore is very very very bad idea!

[bjv]

When Google  (if they haven't yet) starts pinning those server certs in the 
Play Store app (surprised that they don't already), your CA trick won't work. 
You'll have to steal their private keys. That won't end well. 

-- 
You received this message because you are subscribed to the Google Groups 
"Android Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to android-developers+unsubscr...@googlegroups.com.
To post to this group, send email to android-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/android-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/android-developers/c23bc025-6f7e-44b2-811a-05eda77912fa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [android-developers] Re: HTTPS access to PlayStore is very very very bad idea!

[Tourism SecondGuide]

Well, well, in fact we currently use some kind of  MITM attack with our
cachebox, the only problem is that it needs for the user to first download
the cachebox's certificate before downloading the cached android package.
And the cachebox download the application once a day From Google Play. So
the only problem here is that the number of installations is not equal to
the number of downloads but for us that's not a problem as we have more
precise statistics for our customer than the information displayed on the
Google Play's application page.
That works, I just complain that the user needs to download a certificate
first for android an not for ios.
And I don't have particular fear about an attack of the cache server, no
more no less of every machine on Internet.

2016-05-18 13:38 GMT+02:00 Raymond Rodgers :

> I can't speak for Apple's situation, but not using SSL/HTTPS leaves
> security and safety very vulnerable. What you're doing, though you seem to
> be doing it for a positive reason, is essentially a man in the middle
> attack: you're intercepting traffic, with the intent of caching the
> packages for speed purposes, but what's to stop someone else from replacing
> a particular package with a modified version that infects the downloading
> device with malware or constant advertising? While it might be difficult or
> impossible to fake the the signature of the "safe" version of the package,
> the metadata telling you the correct signature could be faked as well, thus
> giving rise to an otherwise legitimate looking package. Encryption was
> developed to both keep private data private and to prevent man in the
> middle attacks. This is usually considered a good thing.
>
> Even assuming it was perfectly safe and allowed for you to cache the
> packages, there are other questions and issues to be considered: How would
> you check to see if you needed to update the cached package? How often
> would you check? How would you verify that the downloaded package isn't
> corrupt or compromised or is even the latest version? What's stopping a
> malicious attacker from compromising your server and altering or removing
> your cached applications? Do you have enough storage space for all the
> applications that your users want to download?
>
> I can't speak for what Apple is or isn't doing. I'm not an Apple developer
> and I don't own an iOS device, but I can tell you that I certainly wouldn't
> want my app or my data transmitted without encryption. Maybe the lack of
> encryption there is a design flaw, an error or oversight in code or
> configuration, a deliberate design choice for your region, or the result of
> an attack that they haven't detected yet, but given the walled nature of
> Apple's app ecosystem, I would be very surprised that they decided to just
> transmit the package over plain HTTP.
> On 05/18/2016 03:35 AM, Tourism SecondGuide wrote:
>
> I'm just surprised that Apple consider http application download enough
> secured. They usually are very sensitive to security problems.
> And anyway, https application downloading is a big problem in lot of cases.
>
> 2016-05-17 22:12 GMT+02:00 Raymond C. Rodgers :
>
>> What about the device and possibly user account information that might
>> get transmitted as part of the download process? Encrypting the package
>> while leaving meta data exposed will not help keep the application,
>> device, or user account secure.
>>
>> On 5/17/2016 2:27 AM, Tourism SecondGuide wrote:
>> > A better solution would be to secure the package
>> >
>> > Le samedi 14 mai 2016 18:03:40 UTC+2, bjv a écrit :
>> >
>> > So what you are saying is that Apple is better because they enable
>> > a MITM attack against your apps when being downloaded, perhaps
>> > letting criminals replace your app with their modified one?
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups "Android Developers" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an email to android-developers+unsubscr...@googlegroups.com
>> > .
>> > To post to this group, send email to
>> > android-developers@googlegroups.com
>> > .
>> > Visit this group at
>> 
>> https://groups.google.com/group/android-developers.
>> > To view this discussion on the web visit
>> >
>> https://groups.google.com/d/msgid/android-developers/392d51b7-25ac-495f-9bc4-ee43b466356e%40googlegroups.com
>> > <
>> https://groups.google.com/d/msgid/android-developers/392d51b7-25ac-495f-9bc4-ee43b466356e%40googlegroups.com?utm_medium=email_source=footer
>> >.
>> > For more options, visit 
>> https://groups.google.com/d/optout.
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Android 

Re: [android-developers] Re: HTTPS access to PlayStore is very very very bad idea!

[Raymond Rodgers]

I can't speak for Apple's situation, but not using SSL/HTTPS leaves 
security and safety very vulnerable. What you're doing, though you seem 
to be doing it for a positive reason, is essentially a man in the middle 
attack: you're intercepting traffic, with the intent of caching the 
packages for speed purposes, but what's to stop someone else from 
replacing a particular package with a modified version that infects the 
downloading device with malware or constant advertising? While it might 
be difficult or impossible to fake the the signature of the "safe" 
version of the package, the metadata telling you the correct signature 
could be faked as well, thus giving rise to an otherwise legitimate 
looking package. Encryption was developed to both keep private data 
private and to prevent man in the middle attacks. This is usually 
considered a good thing.


Even assuming it was perfectly safe and allowed for you to cache the 
packages, there are other questions and issues to be considered: How 
would you check to see if you needed to update the cached package? How 
often would you check? How would you verify that the downloaded package 
isn't corrupt or compromised or is even the latest version? What's 
stopping a malicious attacker from compromising your server and altering 
or removing your cached applications? Do you have enough storage space 
for all the applications that your users want to download?


I can't speak for what Apple is or isn't doing. I'm not an Apple 
developer and I don't own an iOS device, but I can tell you that I 
certainly wouldn't want my app or my data transmitted without 
encryption. Maybe the lack of encryption there is a design flaw, an 
error or oversight in code or configuration, a deliberate design choice 
for your region, or the result of an attack that they haven't detected 
yet, but given the walled nature of Apple's app ecosystem, I would be 
very surprised that they decided to just transmit the package over plain 
HTTP.


On 05/18/2016 03:35 AM, Tourism SecondGuide wrote:
I'm just surprised that Apple consider http application download 
enough secured. They usually are very sensitive to security problems.
And anyway, https application downloading is a big problem in lot of 
cases.


2016-05-17 22:12 GMT+02:00 Raymond C. Rodgers >:


What about the device and possibly user account information that might
get transmitted as part of the download process? Encrypting the
package
while leaving meta data exposed will not help keep the application,
device, or user account secure.

On 5/17/2016 2:27 AM, Tourism SecondGuide wrote:
> A better solution would be to secure the package
>
> Le samedi 14 mai 2016 18:03:40 UTC+2, bjv a écrit :
>
> So what you are saying is that Apple is better because they
enable
> a MITM attack against your apps when being downloaded, perhaps
> letting criminals replace your app with their modified one?
>
> --
> You received this message because you are subscribed to the Google
> Groups "Android Developers" group.
> To unsubscribe from this group and stop receiving emails from
it, send
> an email to android-developers+unsubscr...@googlegroups.com

> >.
> To post to this group, send email to
> android-developers@googlegroups.com

> >.
> Visit this group athttps://groups.google.com/group/android-developers.
> To view this discussion on the web visit
>

https://groups.google.com/d/msgid/android-developers/392d51b7-25ac-495f-9bc4-ee43b466356e%40googlegroups.com
>

.
> For more options, visithttps://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in
the Google Groups "Android Developers" group.
To unsubscribe from this topic, visit

https://groups.google.com/d/topic/android-developers/C5u2uQTdKGk/unsubscribe.
To unsubscribe from this group and all its topics, send an email
to android-developers+unsubscr...@googlegroups.com
.
To post to this group, send email to
android-developers@googlegroups.com
.
Visit this group at
https://groups.google.com/group/android-developers.
To view this discussion on the web visit

https://groups.google.com/d/msgid/android-developers/573B7B24.3040003%40badlucksoft.com.
For 

Re: [android-developers] Re: HTTPS access to PlayStore is very very very bad idea!

[Tourism SecondGuide]

I'm just surprised that Apple consider http application download enough
secured. They usually are very sensitive to security problems.
And anyway, https application downloading is a big problem in lot of cases.

2016-05-17 22:12 GMT+02:00 Raymond C. Rodgers :

> What about the device and possibly user account information that might
> get transmitted as part of the download process? Encrypting the package
> while leaving meta data exposed will not help keep the application,
> device, or user account secure.
>
> On 5/17/2016 2:27 AM, Tourism SecondGuide wrote:
> > A better solution would be to secure the package
> >
> > Le samedi 14 mai 2016 18:03:40 UTC+2, bjv a écrit :
> >
> > So what you are saying is that Apple is better because they enable
> > a MITM attack against your apps when being downloaded, perhaps
> > letting criminals replace your app with their modified one?
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "Android Developers" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to android-developers+unsubscr...@googlegroups.com
> > .
> > To post to this group, send email to
> > android-developers@googlegroups.com
> > .
> > Visit this group at https://groups.google.com/group/android-developers.
> > To view this discussion on the web visit
> >
> https://groups.google.com/d/msgid/android-developers/392d51b7-25ac-495f-9bc4-ee43b466356e%40googlegroups.com
> > <
> https://groups.google.com/d/msgid/android-developers/392d51b7-25ac-495f-9bc4-ee43b466356e%40googlegroups.com?utm_medium=email_source=footer
> >.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Android Developers" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/android-developers/C5u2uQTdKGk/unsubscribe
> .
> To unsubscribe from this group and all its topics, send an email to
> android-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to android-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/android-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/android-developers/573B7B24.3040003%40badlucksoft.com
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Android Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to android-developers+unsubscr...@googlegroups.com.
To post to this group, send email to android-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/android-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/android-developers/CAHxu9Eo2tQdQDc-VFVZVN%3DSmM9faW9%2BPSSMRnfmH_UV-JKQL8g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [android-developers] Re: HTTPS access to PlayStore is very very very bad idea!

[Raymond C. Rodgers]

What about the device and possibly user account information that might
get transmitted as part of the download process? Encrypting the package
while leaving meta data exposed will not help keep the application,
device, or user account secure.

On 5/17/2016 2:27 AM, Tourism SecondGuide wrote:
> A better solution would be to secure the package
>
> Le samedi 14 mai 2016 18:03:40 UTC+2, bjv a écrit :
>
> So what you are saying is that Apple is better because they enable
> a MITM attack against your apps when being downloaded, perhaps
> letting criminals replace your app with their modified one?
>
> -- 
> You received this message because you are subscribed to the Google
> Groups "Android Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to android-developers+unsubscr...@googlegroups.com
> .
> To post to this group, send email to
> android-developers@googlegroups.com
> .
> Visit this group at https://groups.google.com/group/android-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/android-developers/392d51b7-25ac-495f-9bc4-ee43b466356e%40googlegroups.com
> .
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Android Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to android-developers+unsubscr...@googlegroups.com.
To post to this group, send email to android-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/android-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/android-developers/573B7B24.3040003%40badlucksoft.com.
For more options, visit https://groups.google.com/d/optout.

[android-developers] Re: HTTPS access to PlayStore is very very very bad idea!

[Tourism SecondGuide]

A better solution would be to secure the package

Le samedi 14 mai 2016 18:03:40 UTC+2, bjv a écrit :
>
> So what you are saying is that Apple is better because they enable a MITM 
> attack against your apps when being downloaded, perhaps letting criminals 
> replace your app with their modified one?

-- 
You received this message because you are subscribed to the Google Groups 
"Android Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to android-developers+unsubscr...@googlegroups.com.
To post to this group, send email to android-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/android-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/android-developers/392d51b7-25ac-495f-9bc4-ee43b466356e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.