[guardian-dev] TOFU/POP: Whole APK Hash?

Mark Murphy mmurphy at commonsware.com
Wed Jan 29 18:44:36 EST 2014

I read your blog post:


Is the whole-APK hash there because of the master key vulnerability? Or
is there another attack by which the signature would appear valid but
the APK be hacked? Or am I missing something in my current
sleep-deprived state? :-)

A whole-APK hash itself becomes invalid on every update of the
to-be-hashed app. If every time the other app updates, we ask the user
to confirm the pinned app, aren't we at risk of having the user "tune
out" these confirmations?

You have thought about this a lot more than I have, so I'm just curious
as to the rationale, that's all. I cover the signature check approach in
my book, and I'm just trying to determine if I need to be extending that
to evangelize the whole-APK hash.

BTW, you don't happen to have a library that implements these checks,
with the pinning and all, do you? 


Mark Murphy (a Commons Guy)
http://commonsware.com | http://github.com/commonsguy
http://commonsware.com/blog | http://twitter.com/commonsguy

_The Busy Coder's Guide to Android Development_: Version 5.5... And
Still Going Strong!

More information about the Guardian-dev mailing list