In the previous post we introduced code signing every bit implemented inwards Android in addition to saw that it is practically identical to JAR signing. Android requires all installed packages to live on signed in addition to makes heavy usage of the attached code signing certificates inwards its safety model. This is where the major differences amongst other platforms that usage code signing lie, so nosotros volition explore the theme inwards to a greater extent than detail.
Java access control
Before nosotros start earthworks into Android's safety model, let's become through a quick overview of the corresponding features of the Java platform. Java was initially designed to back upward running potentially untrusted code, downloaded from a populace network (mostly applets). The initial applet sandbox model was extended to a to a greater extent than flexible, policy-based scheme where different permissions tin live on granted based on the code's root in addition to author. Code root refers to the house where classes are loaded from, typically a local file or a remote URL, spell authorship is asserted via code signatures in addition to is represented past times the signer's certificate chain. Combined those ii properties define a code source. Each code source is granted a laid of permissions based on a policy, the default implementation beingness to read rules from a policy file (created amongst the
As nosotros mentioned though, unless you lot are inwards the browser plugin or application server evolution line of piece of work concern chances are you lot hadn't heard almost whatsoever of this until the initiative of all of this year. Just when everyone thought that Java applets were for all intents in addition to purposes dead, they made somewhat of a comeback every bit a malware distribution medium. Influenza A virus subtype H5N1 different ways to bypass this are beingness discovered to catch up.
In short, Java has had full-featured code access command for some time, fifty-fifty though the most widely used implementation appears to live on lacking inwards enforcing it. But let's (finally!) larn dorsum to Android now. As the Java code access command machinery tin usage code signer identity to define code sources in addition to grant permissions, in addition to Android code is required to live on signed, ane mightiness await that our favourite mobile OS would live on making usage of the Java's safety model inwards some form, just every bit it does amongst JAR files. As it turns out, this is non the case. Access command related classes are usage of the Java API, in addition to are indeed available inwards Android. However, looking at the implementation reveals that they are practically empty, amongst just plenty code to compile. In addition, they characteristic a prominent 'Legacy safety code; do non use.' notice. So why bother reviewing all of the to a higher house then? Even though Android's access command model is really different from the legacy Java one, it does borrow some of the same ideas, in addition to a comparing is helpful when discussing the design decisions made.
policytool). At runtime a security manager (if installed) enforces access command past times comparing code elements on the stack amongst the electrical current policy. It throws a SecurityException if the permissions required to access a resources have got non been granted to the requesting code source. Java code that runs (or is started in) the browser, such every bit applets or Java Web Start applications, is automatically run amongst a safety manager installed, spell for local applications you lot involve to explicitly laid the java.security.manager in club to install one. In practice, a safety manager for local code is alone used amongst some applications servers, in addition to it is unremarkably disabled past times default. Influenza A virus subtype H5N1 broad make of permissions are supported past times the platform, the major ones beingness file in addition to socket-oriented, every bit good every bit different types of runtime permissions which command operations ranging from shape in addition to library loading to managing the electrical current safety manager. By defining multiple code sources in addition to assigning each ane specific permissions ane tin implement fine grained access command for both local in addition to remote code.As nosotros mentioned though, unless you lot are inwards the browser plugin or application server evolution line of piece of work concern chances are you lot hadn't heard almost whatsoever of this until the initiative of all of this year. Just when everyone thought that Java applets were for all intents in addition to purposes dead, they made somewhat of a comeback every bit a malware distribution medium. Influenza A virus subtype H5N1 different ways to bypass this are beingness discovered to catch up.
In short, Java has had full-featured code access command for some time, fifty-fifty though the most widely used implementation appears to live on lacking inwards enforcing it. But let's (finally!) larn dorsum to Android now. As the Java code access command machinery tin usage code signer identity to define code sources in addition to grant permissions, in addition to Android code is required to live on signed, ane mightiness await that our favourite mobile OS would live on making usage of the Java's safety model inwards some form, just every bit it does amongst JAR files. As it turns out, this is non the case. Access command related classes are usage of the Java API, in addition to are indeed available inwards Android. However, looking at the implementation reveals that they are practically empty, amongst just plenty code to compile. In addition, they characteristic a prominent 'Legacy safety code; do non use.' notice. So why bother reviewing all of the to a higher house then? Even though Android's access command model is really different from the legacy Java one, it does borrow some of the same ideas, in addition to a comparing is helpful when discussing the design decisions made.
Android safety architecture basics
Before nosotros speak over the role of code signing inwards Android's safety model, let's country a few words almost Android's full general safety architecture. As nosotros know, Android is Linux-based in addition to relies heavily on traditional UNIX features to implement its security architecture. Each application runs inwards a split procedure amongst a distinct identity (user ID, UID). By default apps cannot modify each other's resources in addition to this is enforced past times Linux which doesn't allow different processes to access retention or files they don't ain (unless access is explicitly granted past times the owner, a.k.a discretionary access control). Additionally, each app (UID) is granted a laid of logical permissions at install time, in addition to cannot perform operations (call APIs) that require permissions it doesn't have. This is the biggest divergence compared to the 'standard' Java permission model: code from different sources running inwards a unmarried procedure cannot have got different permissions, since permissions are granted at the UID level. Most permissions cannot live on dynamically granted after the bundle has been installed, yet every bit of 4.2 a number of 'development' permissions (e.g.,
Android permissions are typically implemented past times mapping them to Linux groups that have got the necessary read/write access to relevant organisation resources (files or sockets) in addition to so are ultimately enforced past times the Linux kernel. Some permissions are enforced past times organisation daemons or services past times explicitly checking if the calling UID is whitelisted to perform a special operation. The network access permission (
Each permission has an associated 'protection level' that indicates how the organisation proceeds when deciding whether to grant or deny the permission. The ii levels most relevant to our give-and-take are
Besides the built-in permissions, custom permissions tin also live on defined past times declaring them inwards the app manifest file. Those tin live on enforced statically past times the organisation or dynamically past times app components. Permissions attached to components (activities, services, broadcast receivers or content providers) defined inwards
READ_LOGS, WRITE_SECURE_SETTINGS) have got been introduced that tin live on granted or revoked on demand using the pm grant/revoke command (or matching organisation APIs). The organisation volition demo a confirmation dialog showing permissions requested past times an app earlier installing. With the exception of the novel 'development' permissions, all requested permissions are permanently granted if the the user allows the install. For a sure enough messaging app it looks similar this inwards Jelly Bean:
Android permissions are typically implemented past times mapping them to Linux groups that have got the necessary read/write access to relevant organisation resources (files or sockets) in addition to so are ultimately enforced past times the Linux kernel. Some permissions are enforced past times organisation daemons or services past times explicitly checking if the calling UID is whitelisted to perform a special operation. The network access permission (
INTERNET) is somewhat of a hybrid: it is mapped to a grouping (inet), but since network access is non associated amongst ane special socket, the substance checks whether processes trying to opened upward a socket are members of the inet grouping on each related organisation telephone call back (known every bit 'paranoid network security').Each permission has an associated 'protection level' that indicates how the organisation proceeds when deciding whether to grant or deny the permission. The ii levels most relevant to our give-and-take are
signature in addition to signatureOrSystem. The onetime is granted alone to apps signed amongst the same certificate every bit the bundle declaring the permission, spell the latter is granted to apps that are inwards the Android organisation image, fifty-fifty if the signer is different.Besides the built-in permissions, custom permissions tin also live on defined past times declaring them inwards the app manifest file. Those tin live on enforced statically past times the organisation or dynamically past times app components. Permissions attached to components (activities, services, broadcast receivers or content providers) defined inwards
AndroidManifest.xml are automatically enforced past times the system. Components tin also brand usage of framework APIs to cheque whether the calling UID has been granted a required permissions on a case-by-case Blue Planet (e.g., alone for write operations, etc.). We volition innovate other permission related details every bit necessary later, but you lot tin refer to this Marakana presentation for a to a greater extent than consummate in addition to thorough give-and-take of Android permissions (and more). Of course, some official documentation is also available.The role of code signing
As nosotros saw inwards the previous article, Android code signing is based on Java JAR signing. Consequently, it uses populace cardinal cryptography in addition to X.509 certificates every bit do a lot of other code signing schemes. However, this is where the similarities end. In practically all other platforms that usage code signing (for instance Java ME), code signing certificate needs to live on issued past times a CA that the platform trusts. While at that topographic point is no lack of CAs that number code signing certificates, inwards reality it is quite hard to obtain a certificate that volition live on trusted past times all targeted devices. Android solves this employment quite simply: it doesn't attention almost the actual signing certificate. Thus you lot do non involve to have got it issued past times a CA (although you lot could, in addition to most volition happily accept your money), in addition to virtually all code signing certificates used inwards Android are self-signed. Additionally, you lot don't involve to assert your identity inwards whatsoever way: you lot tin usage pretty much anything every bit the acre of written report call (the Google Play shop does have got a few checks to weed out some mutual names, but non the OS itself). Signing certificates are treated every bit binary blobs past times Android, in addition to the fact that they are inwards X.509 format is simply a outcome of using the JAR format. Android doesn't validate certificates every bit such: if the certificate is non self-signed, the signing CA's certificate does non have got to live on present, yet lonely trusted; it volition also happily install apps amongst an expired signing certificate. If you lot are coming from a traditional PKI background, this may audio similar heresy, but attempt to hold an opened upward heed in addition to regime notation that Android does not brand usage of PKI for code signing.
So what are code signing certificates used for then? Two things: making sure enough updates for an app are coming from the same writer (same root policy), in addition to establishing trust relationships betwixt applications. Both are implemented past times comparing the signing certificate of the currently installed target app amongst the certificate of the update or related application. Comparison boils down to calling
Let's examine the major uses of code signing inwards Android inwards detail.
So what are code signing certificates used for then? Two things: making sure enough updates for an app are coming from the same writer (same root policy), in addition to establishing trust relationships betwixt applications. Both are implemented past times comparing the signing certificate of the currently installed target app amongst the certificate of the update or related application. Comparison boils down to calling
Arrays.equals() on the binary (DER) representation of both certificates. This method naturally knows aught almost CAs or expiration dates. One outcome of this is that ane time an app (identified past times a unique bundle name) is installed, updates involve to usage the exact same signing certificates (with ane exception, run across side past times side section). While multiple signatures on Android apps are non common, if the master application was signed past times to a greater extent than than ane signer, whatsoever updates involve to live on signed past times the same signers, each using its master signing certificate. This agency that if your signing certificate(s) expires, you lot cannot update your app in addition to involve to unloose a novel ane instead. This would resultant inwards non alone losing whatsoever existing user base of operations or ratings, but to a greater extent than importantly losing access to the legacy app's information in addition to settings (again, at that topographic point are some exceptions). The solution to this employment is quite simple: don't allow your certificate expire. The currently recommended validity menstruum is at to the lowest degree 25 years, in addition to the Google Play Store requires validity until at to the lowest degree Oct 2033 (Y2K33?). While technically this alone amounts to putting off the problem, proper certificate migration back upward mightiness eventually live on added to the platform. Unfortunately, this agency that if your signing cardinal is lost or compromised, you lot are currently out of luck.Let's examine the major uses of code signing inwards Android inwards detail.
Application authenticity in addition to identity
In Android all apps are managed past times the organisation
As you lot tin run across above, a bundle entry specifies the bundle name, the location of the APK in addition to associated libraries, assigned UID in addition to some additional install metadata such every bit install in addition to update time. This is followed past times the number of signatures in addition to the signing certificate every bit a hexadecimal string. Since a hex-encoded certificate volition unremarkably accept upward around 2K, the actual certificate contents is listed alone once. All subsequent packages signed amongst the same certificate alone refer to it past times index, every bit is the instance above. The
Just similar user-installed apps, pre-installed apps (usually found inwards
The update (in
Speaking of organisation apps, most of those are signed past times a number of so called 'platform keys'. There are 4 different keys inwards the electrical current AOSP tree, named
PacakgeManagerService, no affair if they are pre-installed, downloaded from an app marketplace position or side loaded. It keeps a database of currently installed apps, including their signing certificate(s), granted permissions in addition to additional metadata inwards the /data/system/packages.xml file. Influenza A virus subtype H5N1 typical entry for a user-installed app mightiness aspect similar this:<package codepath="/data/app/com.chrome.beta-2.apk" flags="572996" ft="13e20480558" installer="com.android.vending" it="13ca981cbe3" name="com.chrome.beta" nativelibrarypath="/data/app-lib/com.chrome.beta-2" userid="10092" ut="13e204816ce" version="1453060"> <sigs count="1"> <cert index="8"> </cert> </sigs> <perms> <item name="android.permission.NFC"/> ... <item name="com.android.browser.permission.READ_HISTORY_BOOKMARKS"/> </perms> </package>
As you lot tin run across above, a bundle entry specifies the bundle name, the location of the APK in addition to associated libraries, assigned UID in addition to some additional install metadata such every bit install in addition to update time. This is followed past times the number of signatures in addition to the signing certificate every bit a hexadecimal string. Since a hex-encoded certificate volition unremarkably accept upward around 2K, the actual certificate contents is listed alone once. All subsequent packages signed amongst the same certificate alone refer to it past times index, every bit is the instance above. The
PackageManagerService uses the <cert/> values inwards packages.xml to create upward one's heed whether an update is signed amongst the same certificate every bit the master app. The certificate is followed past times the listing of permissions the bundle has been granted. All of this information is cached on retention (keyed past times bundle name) at runtime for performance reasons.Just similar user-installed apps, pre-installed apps (usually found inwards
/system/app) tin live on updated without a full-blown organisation update, unremarkably via the Play Store or a similar app distribution service. As the /system segmentation is mounted read-only though, updates are installed inwards /data, spell the master app remains every bit is. In add-on to a <package/> entry, such an app volition also have got a <updated-package> entry that mightiness aspect similar this:<updated-package name="com.google.android.youtube" codePath="/system/app/YouTube.apk" ft="13cd6667b50" it="13ae93df638" ut="13cd6667b50" version="4216" nativeLibraryPath="/data/app-lib/com.google.android.youtube-1" userId="10067"> <perms> <item name="android.permission.NFC" /> ... </perms> </updated-package>
The update (in
/data/app) inherits the master app's permissions in addition to UID. System apps have some other special handling every bit well: if an updated APK is installed over the master ane (in /system/app) it is allowed to live on signed amongst a different certificate. The rationale behind this is that if the installer has plenty privileges to write to /system, it tin live on trusted to alter the signing certificate every bit well. The UID, in addition to whatsoever files in addition to permissions are retained. Again, at that topographic point is an exception though: if the bundle is usage of a shared user (discussed inwards the side past times side section), the signature cannot live on updated, because that would touching on other apps every bit well. In the opposite case, when a novel organisation app signed past times a different certificate than that of the currently installed non-system app (with the same bundle name), the non-system app volition live on deleted first.Speaking of organisation apps, most of those are signed past times a number of so called 'platform keys'. There are 4 different keys inwards the electrical current AOSP tree, named
platform, shared, media in addition to testkey (releasekey for unloose builds). All packages considered usage of the core platform (System UI, Settings, Phone, Bluetooth etc.) are signed amongst the platform key, launcher in addition to contacts related packages -- amongst the shared key, the gallery app in addition to media related providers -- amongst the media key, in addition to everything else (including packages that don't explicitly specify the signing key) -- amongst the testkey. One thing to regime notation is that the keys distributed amongst AOSP are inwards no way special, fifty-fifty though they have got 'Google' inwards the certificate DN. Using them to sign your apps volition non give you lot whatsoever specific privileges, you lot volition involve the actual keys Google or your carrier/device manufacturer uses. Even though the associated certificates may lead house to have got the same DN every bit the ones inwards AOSP, they are different in addition to really unlikely to live on publicly accessible. Custom ROMs are oft an exception though, in addition to some, including CyanogenMod, usage the AOSP keys, or publicly available keys, every bit is (there are plans to alter this for CyanogenMod though). Sharing the signing cardinal allows packages to locomote together in addition to flora trust relationships, which nosotros volition speak over next.Inter-application trust relationships
Signature permissions
As nosotros mentioned above, Android permissions (system or custom) tin live on declared amongst the
The entry has the permission name, declaring bundle in addition to protection grade (2 corresponds to
That by in addition to large explains custom permissions, but what almost built-in, organisation permissions amongst
signature protection level. With this level, the permission is alone granted if the requesting app is signed past times the same signer every bit the bundle declaring the permission. This tin live on thought of every bit a express shape of mandatory access command (MAC). For custom (app-declared) permission, permissions are declared inwards the package's AndroidManifest.xml file, in addition to are added to the organisation when it is installed. Just every bit other bundle data, permissions are saved inwards the /data/system/packages.xml file, every bit children of the <permissions/> element. Here's how the proclamation of a custom permission used past times some Google apps looks like: <permissions> .. <item name="com.google.android.googleapps.permission.ACCESS_GOOGLE_PASSWORD" package="com.google.android.gsf.login" protection="2" /> ... </permissions>
The entry has the permission name, declaring bundle in addition to protection grade (2 corresponds to
signature) every bit attributes. When installing a bundle that requests this permission, the PackageManagerService volition perform binary comparing (just every bit when upgrading packages) of its signing certificate against the certificate of the Google Login Service (the declaring package, com.google.android.gsf.login) inwards club to create upward one's heed whether to grant the permission. Influenza A virus subtype H5N1 noteworthy item is that the organisation cannot grant a permission it doesn't know about. That is, if app Influenza A virus subtype H5N1 declares permission 'foo' in addition to app B uses it, app B needs to live on installed after app A, otherwise you lot volition larn a alarm at install fourth dimension in addition to the permission won't live on granted. Since app installation club typically cannot live on guaranteed, the usual workaround for this province of affairs is to declare the permission inwards both apps. Permissions tin also live on added in addition to removed dynamically using the PackageManger.addPermission() API (know every bit 'dynamic permissions'). However, packages tin alone add together permissions to a permission tree they define (i.e., you lot cannot add together permissions to some other app).That by in addition to large explains custom permissions, but what almost built-in, organisation permissions amongst
signature protection level? They locomote precisely every bit custom permissions, except that the bundle that defines them is special. They are defined inwards the android package, sometimes also referred every bit 'the framework' or 'the platform'. The core android framework is the laid of classes shared past times organisation services, some of them exposed via the populace SDK. Those are packaged inwards JAR files found inwards /system/framework. Interestingly, those JAR files are non signed: spell Android borrows the JAR format to implement code signing, alone APK files are signed, non actual JARs. The alone APK file inwards the framework directory is framework-res.apk. As the call implies, it packages framework resources (animation, drawables, layouts, etc.), but no actual code. Most importantly, it defines the android bundle in addition to organisation permissions. Thus whatsoever app trying to asking a system-level signature permission needs to live on signed amongst the same certificate every bit the framework resources package. Not surprisingly, it is signed past times the platform cardinal discussed inwards the previous department (usually found inwards build/target/product/security/platform.pk8|.x509.pem). The associated certificate may looks something similar this for an AOSP build:Version: iii (0x2) Serial Number: 12941516320735154170 (0xb3998086d056cffa) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=California, L=Mountain View, O=Android, OU=Android, CN=Android/emailAddress=android@android.com Validity Not Before: April fifteen 22:40:50 2008 GMT Not After : Sep 1 22:40:50 2035 GMT Subject: C=US, ST=California, L=Mountain View, O=Android, OU=Android, CN=Android/emailAddress=android@android.com
Shared user ID
Android provides an fifty-fifty stronger inter-app trust human relationship than using signature permissions: the powerfulness for different apps to run every bit the same UID, in addition to optionally inwards the same process. It is unremarkably referred to every bit 'shared user ID'. This characteristic is extensively used past times core framework services in addition to organisation applications, in addition to spell the Android squad does non recommend that third-party application usage it, it is available to user applications every bit well. It is enabled past times adding the
Influenza A virus subtype H5N1 shared UID is a initiative of all shape object inwards the system's
Here's how the
As you lot tin see, apart from having a bunch of scary permissions (about lx on a 4.2 device), the proclamation is really similar to the
The shared UID is non just a bundle administration construct, it truly maps to a shared Linux UID at runtime every bit well. Here is an instance of ii organisation apps running nether the
The ultimate trust grade on Android is, of course, running inwards the same process. Since apps that are usage of the same shared UID already have got the same Linux UID in addition to tin access the same organisation resources, this is non a problem. It tin live on requested past times specifying the same procedure call inwards the
android:sharedUserId attribute to AndroidManifest.xml's root element. The 'user ID' specified inwards the manifest needs to live on inwards Java bundle format (containing at to the lowest degree ane '.') in addition to is used every bit an identifier, much similar bundle names for applications. If the specified shared UID does non be it is simply created, but if some other bundle amongst the same shared UID is already installed, the signing certificate is compared to that of the existing package, in addition to if they do non match, a INSTALL_FAILED_SHARED_USER_INCOMPATIBLE mistake is returned in addition to installation fails. Adding the sharedUserId to the novel version of an already installed app volition drive it to alter its UID, which would resultant inwards losing access to its ain files (that was the case inwards some previous Android versions). Therefore, this is disallowed past times the system, in addition to it volition refuse the update amongst the INSTALL_FAILED_UID_CHANGED error. In short, if you lot programme to usage shared UID for your apps, you lot have got to pattern for it from the start, in addition to have got them usage it since the really initiative of all release.Influenza A virus subtype H5N1 shared UID is a initiative of all shape object inwards the system's
packages.xml in addition to is treated much similar apps are: it has associated signing certificate(s) in addition to permissions. Android has five built-in shared UIDs, automatically added when the organisation is bootstrapped:android.uid.system(SYSTEM_UID, 1000)android.uid.phone(PHONE_UID, 1001)android.uid.bluetooth(BLUETOOH_UID, 1002)android.uid.log(LOG_UID, 1007)android.uid.nfc(NFC_UID, 1027)
Here's how the
system shared UID is defined:<shared-user name="android.uid.system" userId="1000"> <sigs count="1"> <cert index="4" /> </sigs> <perms> <item name="android.permission.MASTER_CLEAR" /> <item name="android.permission.CLEAR_APP_USER_DATA" /> <item name="android.permission.MODIFY_NETWORK_ACCOUNTING" /> ... <shared-user/>
As you lot tin see, apart from having a bunch of scary permissions (about lx on a 4.2 device), the proclamation is really similar to the
package declarations nosotros showed previously. Conversely, packages that are a usage of a shared UID, do non have got an associated granted permission list. They inherit the permissions of the shared UID, which are a spousal human relationship of the permissions requested past times all currently installed packages amongst the same shared UID. Influenza A virus subtype H5N1 side effect of this is, that if a bundle is usage of a shared UID, it tin access APIs it hasn't explicitly requested permissions for, every bit long every bit some bundle amongst the same shared UID has already requested them. Permissions are dynamically removed from the <shared-user/> proclamation every bit packages are installed or uninstalled though, so the laid of available permissions is neither guaranteed nor constant. Here's how the proclamation of a organisation app (KeyChain) that runs nether a shared ID looks like. It references the shared UID amongst the sharedUserId attribute in addition to lacks explicit permission declarations:<package name="com.android.keychain" codePath="/system/app/KeyChain.apk" nativeLibraryPath="/data/app-lib/KeyChain" flags="540229" ft="13cd65721a0" it="13c2d4721f0" ut="13cd65721a0" version="17" sharedUserId="1000"> <sigs count="1"> <cert index="4" /> </sigs> </package>
The shared UID is non just a bundle administration construct, it truly maps to a shared Linux UID at runtime every bit well. Here is an instance of ii organisation apps running nether the
system UID:system 5901 9852 845708 40972 ffffffff 00000000 due south com.android.settings organisation 6201 9852 824756 22256 ffffffff 00000000 due south com.android.keychain
The ultimate trust grade on Android is, of course, running inwards the same process. Since apps that are usage of the same shared UID already have got the same Linux UID in addition to tin access the same organisation resources, this is non a problem. It tin live on requested past times specifying the same procedure call inwards the
process attribute of the <application/> chemical element inwards the manifest for all apps that involve to run inwards ane process. While the obvious resultant of this is that the apps tin part retention in addition to communicate direct instead of using RPC, some organisation services allow special access to components running inwards the same procedure (for instance direct access to cached passwords or getting authentication tokens without showing UI prompts). Google apps accept payoff of this past times requesting to run inwards the same procedure every bit the login service inwards club to live on able to sync information inwards the background, without user interaction (e.g., Play Services in addition to the Google location service). Naturally, they are signed withe same certificate in addition to usage of the com.google.uid.shared shared UID.Summary
Android uses the Java JAR format for code signing, in addition to signatures tin live on added to both application packages (APKs) in addition to organisation update packages (OTA updates). While JAR signing is based on X.509 certificates in addition to PKI, Android does non usage or validate the signer certificates every bit such. They are treated every bit binary blobs in addition to an exact byte agree is required inwards club for the organisation to consider ii packages signed past times the same signer. Package signature matching is at the pump of the Android safety model, used both to guarantee that bundle updates come upward from the same root in addition to when establishing inter-application trust relationships. Inter-app trust relationships tin live on created either using signature-level permissions (built-in or custom), or past times allowing apps to part the same organisation UID and, optionally, process.
Tag :
android security
0 Komentar untuk "Droidcedas : Code Signing Inward Android's Safety Model"