authentication - How does Android's app/signature verification work? -

-

i want preface question 2 things can narrow down actual question is:

a) i've done software dev before, though never android

b) i'm familiar pki , encryptions , hashing , digital signatures , blah blah blah

that being said i'm having trouble tracking down more information , how android verifies app creators. i've heard lot of different information i'm trying synthesize better idea of workflow.

i know every app developer gets own private/public key pair , sign apps hashing apk (with sha-1 of time if i'm not mistaken) , there go. upload , (i believe) public key goes in meta inf inside apk. understand.

my question how relates when user downloads app itself. know phone checks make sure app validly signed, , signature has information author , etc included. i've read apps self signed , google play (or whatever they're calling market now) doesn't implement ca, , there's no identity authentication? question what, then, stops people uploading app under developers name (crowdsourcing aside)?

if phone checks valid signatures imply means of authentication done when app uploaded? , if that's case how app market check it? usual - use private key on file , verify signature? or developer have provide market private key authenticate?

in short, android , google play don't care what's in actual certificate. google play validate indeed, , check if valid 30 years or more, don't use (at least currently, afaik) actual info in cert. use own name/company name in cn, no 1 validate this, , users won't see info @ all. android is:

  • check signature make sure apk hasn't been tampered with
  • then compare singing certificate as binary blob 1 of installed version of app make sure 2 versions have been signed same key/certificate (e.g., same person/company)
  • it same thing enforce permission if using using shareduid or signature permissions 2 or more apps.

so, answer question, can create certificate name on it, android , google play don't care. long don't have private key, won't able produce app signature same yours , wouldn't able overwrite/update app theirs, or special permissions.


Comments

Post a Comment

Popular posts from this blog

django - How can I change user group without delete record -

-
on website user have 1 group. , user can change group. it's made user.groups.clear() and user.groups.add(new_group) but it's not efficient, because there 2 sql query: delete, insert. how can change group update query? user , group related each other using manytomanyfield . means intersection table exists relating both entities, , if don't specify model map (using through attribute) django creates 1 you. looking @ sources django.contrib.auth.models see that's case. fortunatly, can access intermediary model using through attribute of manager (in case, user.groups.through ). can use regular model. example: >>> alice = user.objects.create_user('alice', 'alice@example.com', 'alicepw') >>> employee = group.objects.create(name='employee') >>> manager = group.objects.create(name='manager') >>> alice.groups.add(employee) >>> alice.groups.all() [<group: employee...
Read more

java - Need to add SOAP security token -

-
i need set custom soap header attribute on jax-ws generated webservice client. case webservice calls must go through proxy server requiring specific token (recieved web request header) present in soap request header. e.g.: 1 carserviceservice service = null; 2 service = new carserviceservice(new url(url), new qname(qname); 3 carserviceendpoint port = service.getcarserviceport(); it seems in line 3 wsdl retrieved , call fails due missing security token. 1 point direction on how done? a detailed example has been mentioned here: creating , deploying jax-ws web service on tomcat 6 this article shows how create , use security token .
Read more

java - EclipseLink JPA Object is not a known entity type -

-
i have strange problem eclipselink , object want persist. have 1 object (keypointlistimpl) stores object keypointimpl in list. persisting keypointimpl objects works great if try persist keypointlistimpl object java.lang.illegalargumentexception says object keypointimpl isn't known entity type. here keypointimpl code: @entity @table(name="keypoints") public class keypointimpl implements keypoint { @id @generatedvalue(strategy = generationtype.identity) private int id; @enumerated(enumtype.string) private detectortype keypointtype; private float x; private float y; private float size; private float angle; private float response; private int octave; private int classid; ... } here keypointlistimpl code: @entity @table(name="keypointlists") public class keypointlistimpl implements keypointlist { @id @generatedvalue(strategy = generationtype.identity) private int id; @onetoone(cascade={ca...
Read more