...
Signing code, however, has its own problems. According to Schneier [Schneier 2000]
First, users have no idea how to decide if a particular signer is trusted or not. Second, just because a component is signed doesn't mean that it is safe. Third, just because two components are individually signed does not mean that using them together is safe; lots of accidental harmful interactions can be exploited. Fourth, "safe" is not an all-or-nothing thing; there are degrees of safety. And fifth, the fact that the evidence of attack (the signature on the code) is stored on the computer under attack is mostly useless: The attacker could delete or modify the signature during the attack, or simply reformat the drive where the signature is stored.
...
The Android system uses code signing as a means of identifying the author of an application and establishing trust relationships between applications, not as a means of granting elevated privileges to code.
Bibliography
| |
Appendix C, Sign Only Privileged Code | |
|
...
Rule 16: Runtime Environment (ENV) Rule 16: Runtime Environment (ENV)