[cabfpub] FW: Android app signing problems -- it's even worse than I imagined

[Chris Palmer]

On Fri, Sep 28, 2012 at 3:55 PM, Eddy Nigg (StartCom Ltd.)
<eddy_nigg at startcom.org> wrote:

> Not sure, but even after reading it (again), there is no point whatsoever
> as far as I can see. Or is there? Maybe it's not obvious....

Anonymous package integrity: Did it download correctly? Regardless of
who claims to have published it.

Package isolation: Every Android application is isolated from every
other by getting a distinct Linux UID/GID. However, if two packages
are signed by the same private key, they have the option to ask to be
given the same UID/GID. (If the two packages are not signed by the
same private key but they do ask to be given the same UID, Android
will reject the second package for which installation is attempted.)

Since every Android application has no special powers that it does not
explicitly ask for, and even if it asks for them the user gets to see
and approve before package installation continues, it matters less
from a run-time security perspective whether or not the package was
"really" published by Foo Corp or not. That is, you don't have to rely
on security by reputation; you can (in theory) rely on security by
privilege separation and least privilege.

So, the situation is quite different from traditional desktop OSs,
where when you install something you give the developer total control
over your computer and so you therefore REALLY want to know if it was
published by the REAL Microsoft because oh god this thing is so
dangerous and I am giving it full power eek.

That said, if some app claims to be published by Facebook or Microsoft
or Chris Palmer Enterprises, but in fact is published by some fool
with mismatched socks, the app and its developer are subject to the
usual trademark laws, and Google Play Store complaints and takedown
procedures. An affirmative, cryptographically-attested lie will only
hurt the sock-challenged fool in such situations...