I want a preface to this question in two things, so I can narrow down where my real question is:
a) I already did the software but never used for android
b) I am familiar with PKI and encryption, hashing and digital signatures and blah blah blah
It is said that I had problems finding additional information on where and how Android checks application creators. I heard a lot of different information, so I'm trying to synthesize in order to better understand the workflow.
I know that each application developer gets their own private / public key pair, and they sign their applications by hashing the APK (with SHA-1 most of the time, if I'm not mistaken), and here you go. You download it and (I suppose) the public key is sent to META INF inside the APK. I understand it.
My question is how this relates to when the user downloads the application on their own. I know that the phone checks if the application is really signed, and that the signature also contains information about the author, etc. But I also read that applications are signed on their own and that Google Play (or something that they call the market now) does not implement the CA, and is there no authentication of the identifier? But why is my question that then people stop loading the application under a different developer name (crowdsourcing)?
If the phone only checks valid signatures, does this mean that only one authentication tool is executed when the application is downloaded? And if this is the case, how does the application market test this? Is it normal to use the private key in a file and verify the signature? Or should the developer provide the market with their private key for authentication?
Fewmitz
source share