Google Android and Code Signing App Shops
After listening to Mike Jennings excellent intro to Android presentation at the London Dev Day I floated an idea which seemed to have some traction so I thought I’d expand it out for those that are interested.
There is currently no way for a user to judge how trustworthy an Android application is. A user can say what they will allow an application to do (such as dialling out, intercepting SMSs', etc.), but a user can’t easily tell if an application is not a Trojan horse (e.g. a dialler that does call routing through a premium rate number instead of dialling the user requested number directly).
It’s possible for a developer to sign the code, but if this is the only signature allowed it raises the question of how does every Android developer become a known and trusted brand to the user without encouraging the security disaster of “Just click OK until it starts” behaviour.
Overview of the idea.
This idea is a combination of the PGP/GPG “Web of trust” and code signing. What it involves is expanding the Android manifest file to allow the inclusion of multiple digital signatures which could be created by third parties and added to the manifest to show that a third party has checked the application and deems it to be trustworthy.
There will still be a single developer code signature which allows third parties to verify the source, but there will also be the ability to allow MULTIPLE third party signatures so that a single application can ship with a list of third parties which vouch for the applications trustworthiness.
The reason that this shouldn’t replace the existing code signing system is that some third parties may wish to trust an application based purely on the original developer and so will want a method of knowing the applications original source irrespective of how many other parties vouch for the app.
Why this is a good open solution.
As with a web of trust (or buying from the high street) the user can make judgements based the brand name of the third parties involved. This means that if I write an application that, say, T-Mobile think is cool and they want to offer it to their users then they can create a digital signature, put it into the manifest (and hopefully send me a copy of the signature so I can update the main app manifest), and then when a T-Mobile user goes to install the application they can see that their carrier things it’s OK to use.
This is not just a carrier thing. If a phone manufacturer, say, HTC, thought the app was cool they could sign it, modify the manifest (hopefully sending me a copy again), and then people using HTC phones on whatever carrier would know that the phone manufacturer things it’s safe to run the app.
Going beyond the hardware/carrier space it would allow third parties to set up application shops which would trade off of their Brand. This would allow, say, Google, to have an app shop with apps they’ve tested and think are cool, as well as people like Electronic Arts, Wal-Mart, and anyone else who wants to set up an app shop.
[added]Going further than that it allows meta-shops to be set up. These would be shops which use the third party signing information to help users select apps they want to use (e.g. you could have a store which allows you to look for applications which are signed as trusted by, Google, T-Mobile, and HTC or have signatures from Vodafone and Sony Ericsson).[/added]
In a nutshell it allows ANYONE to sign an app and say that they consider it trustworthy, and it allows the user to make a decision based on the list of third parties (e.g. if the list includes Google, Ma and Pas' software shack, and Vodafone a T-Mobule customer may trust it because Google have marked it as trusted, and a Vodafone customer would be happy to see Vodafone say it’s OK, and Ma and Pas' friends may trust it because Ma and Pa say it’s fine by them).
Nuts and Bolts of the solution
If deliberately avoided talking about algorithms, specifying manifest changes, etc., because the intro to Android talk is the only exposure I’ve had to the platform. I’m going to float a few ideas here, but if they may be off-base if I’ve misunderstood something.
Crypto: Android already has an libraries which handles digital certificates and can handle code signing, this means that the mechanics of the solution are already in place, which would make adoption easier.
Verification Certificate Distribution: This problem has already been partially addressed by the distribution of certificates to handle code signing.
Signature Distribution: Signatures could be added to the XML manifest file which ships with an application.
Web of Trust : The platform should allow a user to select which third parties they consider trustworthy and thus will accept applications from without warnings about trustworthiness (but the user will still be asked to grant permissions even if an application has a signature for a trusted third party). The platform should also allow URLs to be added by Android customisers (such as carriers) which would point to a file containing the latest verification certificates for third parties trusted by the customiser (e.g. T-Mobile may ship a URL which points to a file containing the certs for Google, Electronic Arts, and HTC).
As always, welcomed below…
This is not an attempt to try and tell the user which third parties to trust, it is an attempt to provide a mechanism by which users can see which third parties consider the application trustworthy (i.e. it’s not trying to tell the user to trust, say, Google, it’s a mechanism for allowing the user to see that Google trusts an application and make a decision based on whether the user trusts Google).
This idea is trying to avoid a single certification process operated by a single entity so that a developer is not entirely dependant on any single third party in order to get their apps to market and labelled as trustworthy by someone.