[guardian-dev] TOFU/POP: Whole APK Hash?

Hans-Christoph Steiner hans at guardianproject.info
Wed Jan 29 19:33:40 EST 2014

On 01/29/2014 06:54 PM, Mark Murphy wrote:
> On Wed, Jan 29, 2014, at 15:51, Hans-Christoph Steiner wrote:
>> Sounds like you understand correctly.  The whole APK hash is a defense
>> against
>> things like the master key vulnerability, but yes, it would be a pain in
>> the
>> ass to make easy to use.  For people who need that
> Your last sentence was eaten by a grue. :-)

Lost that train of thought.  Basically, some specific scenarios require very
stringent checks, and in that case, people are willing to manage the pain of a
full APK check.


>> As for implementations of these ideas, we have bits and pieces here and
>> there,
>> but no coherent whole.  The goal is to make the useful parts into a
>> easy-to-use library.
> OK, thanks for the confirmation!

PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81

More information about the Guardian-dev mailing list