Re: [android-developers] Re: Possible to check .apk signature?
On Thu, Oct 7, 2010 at 6:22 PM, DanH danhi...@ieee.org wrote: So what is protecting the application from forgery? What do you mean? This is the cert it is signed with. Do you have some way to force the cert? -- Dianne Hackborn Android framework engineer hack...@android.com Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: Possible to check .apk signature?
What CRC32 checksum? Trevor Johns, in a discussion of LVL, offered up CRC32 as a means of helping detect tampering, but that was simply an example. Otherwise, I am coming up with zero references to the use of CRC32 with respect to APKs. Do you have a pointer to somewhere in the open source code where they are using a CRC32 checksum in this fashion? Thanks! On Fri, Oct 8, 2010 at 7:12 AM, DanH danhi...@ieee.org wrote: What I mean is that if the bad actor can manipulate the apk bytes while still maintaining the same checksum, then the whole scheme is insecure -- there's no point in having it signed. A CRC32 checksum is easily spoofed -- the apk bytes need to be checksummed with a cryptographic checksum of some sort. -- Mark Murphy (a Commons Guy) http://commonsware.com | http://github.com/commonsguy http://commonsware.com/blog | http://twitter.com/commonsguy Warescription: Three Android Books, Plus Updates, One Low Price! -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: Possible to check .apk signature?
An .apk is a super-set of a .jar, and uses the standard Java certificate and signing mechanisms in a .jar. If you are concerned about this being broken... well, not sure what to say. :} On Fri, Oct 8, 2010 at 6:00 AM, DanH danhi...@ieee.org wrote: I may have misinterpreted. Presumably there's a checksum of the APK data in the signed certificate. I would assume (hope) that's a cryptographically strong checksum. (If not, the entire Android platform is in jeopardy.) If one wants a sure signature (in a generic sense) that uniquely and reliably identifies a SPECIFIC version of code, that cryptographic checksum would be what you want (though I don't know how you'd access that). Otherwise, the public key (which Diane has finally explained is what the package signature is) is a secure, reliable way to identify the publisher (and, with the package name, the specific app (though not it's version)). There's no point in creating a separate CRC32 over the app, to use as an identity to send back to a server or whatever. On Oct 8, 6:21 am, Mark Murphy mmur...@commonsware.com wrote: What CRC32 checksum? Trevor Johns, in a discussion of LVL, offered up CRC32 as a means of helping detect tampering, but that was simply an example. Otherwise, I am coming up with zero references to the use of CRC32 with respect to APKs. Do you have a pointer to somewhere in the open source code where they are using a CRC32 checksum in this fashion? Thanks! On Fri, Oct 8, 2010 at 7:12 AM, DanH danhi...@ieee.org wrote: What I mean is that if the bad actor can manipulate the apk bytes while still maintaining the same checksum, then the whole scheme is insecure -- there's no point in having it signed. A CRC32 checksum is easily spoofed -- the apk bytes need to be checksummed with a cryptographic checksum of some sort. -- Mark Murphy (a Commons Guy)http://commonsware.com| http://github.com/commonsguyhttp://commonsware.com/blog|http://twitter.com/commonsguy Warescription: Three Android Books, Plus Updates, One Low Price! -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.comandroid-developers%2bunsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en -- Dianne Hackborn Android framework engineer hack...@android.com Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: Possible to check .apk signature?
On Wed, Oct 6, 2010 at 3:44 PM, DanH danhi...@ieee.org wrote: Supposedly PackageInfo.signatures[0] gives you the signature. However, there's a Catch22: You can't get the signature until the app is packaged, and you can't modify the app to insert the signature after it's been packaged. Despite its name, the contents of PackageInfo.signatures is the public keys your app is signed with. This absolutely, positively does not change between builds. This is the pure identify of the developer of the app. -- Dianne Hackborn Android framework engineer hack...@android.com Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: Possible to check .apk signature?
On 7 October 2010 01:34, JonFHancock jonfhanc...@gmail.com wrote: System.out.println line on, and copied it from Logcat. Then in actual production builds I just comment it out. And then app signature changed. -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
Re: [android-developers] Re: Possible to check .apk signature?
On 10/6/2010 6:44 PM, DanH wrote: Supposedly PackageInfo.signatures[0] gives you the signature. However, there's a Catch22: You can't get the signature until the app is packaged, and you can't modify the app to insert the signature after it's been packaged. It would be better if one could get the public key used to sign the package, but that's apparently not accessible. Actually, I originally intended that message to reference the public key, not the app signature, but I was suffering a mental brown-out at the time... :-p The key may be accessible to the OS, but not available via API... It would be nice to get a Google type to comment on this, but the thread is still relatively new... Raymond -- You received this message because you are subscribed to the Google Groups Android Developers group. To post to this group, send email to android-developers@googlegroups.com To unsubscribe from this group, send email to android-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/android-developers?hl=en