[guardian-dev] TOFU/POP: Whole APK Hash?
hans at guardianproject.info
Wed Jan 29 19:33:40 EST 2014
On 01/29/2014 06:54 PM, Mark Murphy wrote:
> On Wed, Jan 29, 2014, at 15:51, Hans-Christoph Steiner wrote:
>> Sounds like you understand correctly. The whole APK hash is a defense
>> things like the master key vulnerability, but yes, it would be a pain in
>> ass to make easy to use. For people who need that
> Your last sentence was eaten by a grue. :-)
Lost that train of thought. Basically, some specific scenarios require very
stringent checks, and in that case, people are willing to manage the pain of a
full APK check.
>> As for implementations of these ideas, we have bits and pieces here and
>> but no coherent whole. The goal is to make the useful parts into a
>> easy-to-use library.
> OK, thanks for the confirmation!
PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
More information about the Guardian-dev