[android-developers] Re: Verifying app signatures
Some developers publish the same apk (signed by the same certificate) on both the Android market and other channels. In that case checking the public key of the signing certificate would not work. The only way to really ensure that an app is installed from Android market would be to use the same APIs(internal and unpublished) that the Android market uses to implement LVL. --MB PS: Would it be possible to share what is the end goal of this exercise? On Nov 22, 12:17 pm, Fernando T ftr...@gmail.com wrote: So we want to verify that all apps on a phone come from the Android Market, because the setting to install apps only from the market can be turned on and off, in addition to apps being installed with adb, etc. One way I thought to do this is to make sure that it is signed by the developer of the app, or by the same certificate as it is in the Market. Even if different versions are installed, the certificate should match. Is there a way to programmatically get either the APK or the signature of the APK from the Android Market? -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Verifying app signatures
Thanks for the answers. The end goal is a security tool that checks to make sure a phone is configured securely based on some standard that some expert or consultant comes up with. So it checks passcodes, swipe patterns, wifi settings, bluetooth, etc. One of the checks we need is to verify that installed apps come from reputable sources, like the phone vendor or carrier or Android Market (assuming, of course, that this last source is in fact reputable). -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
[android-developers] Re: Verifying app signatures
If I may be of assistance - give me one or two of your ideas out of thread so that I do not get my canoe crossways in the creek Study LVL and do not listen to the detractors right away - then do the SALT correctly and read the damn source that they give you for the thing and listen closely to what Tim Bray Posted on 01 September 2010 at 1:13 PM on Securing Android LVL Applications ( it is in the Blog Tab at developer.android ) You have to realize whatever the server sends back can be picked up with a simple cable patch so like if you cannot do crypto then look for all the non-obvious ways you can think of but once it is in-use then few DRM have ever not been cracked challenge is to shield the honest user from hackey-puck ferget the expert consultant that's a scam assume 10,000 crypto-kiddies with nothing to do but stay up all night and look at the de-compile of you code will happen in the first 7-10 days of release it can get nasty when some competitor writes a check to someone to bust your code On Nov 22, 8:51 pm, Fernando T ftr...@gmail.com wrote: Thanks for the answers. The end goal is a security tool that checks to make sure a phone is configured securely based on some standard that some expert or consultant comes up with. So it checks passcodes, swipe patterns, wifi settings, bluetooth, etc. One of the checks we need is to verify that installed apps come from reputable sources, like the phone vendor or carrier or Android Market (assuming, of course, that this last source is in fact reputable). -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en