biodranik
commented
8 years ago We don’t check downloaded maps at the moment for any modifications, the only check is the map size. It is a good idea to use some hash checking after downloading map, but not because of security reasons. It usually helps to find “broken” SD-cards on Android devices and avoid app hangs/crashes.
On Dec 14, 2015, at 21:19, rugk notifications@github.com wrote:
How do you verify them currently? If you do not do this at all I would like to suggest at least a basic public/signature key verification to prevent tampering of maps data
I mean Maps data is not so bad if it has been tampered, but it is still not very nice and with a faked map data you could possibly send people to places they don't want to go to
Obviously you could also use HTTPS to deliver the updates This would even have the advantage that you also protect the users from eavesdroppers, who want to get out for what countries the user downloads maps This could allow the attacker to predict vacation trips eg
— Reply to this email directly or view it on GitHub https://github.com/mapsme/omim/issues/984.
rugk
How do you verify them currently? If you do not do this at all I would like to suggest at least a basic public/signature key verification to prevent tampering of maps data.
I mean Maps data is not so bad if it has been tampered, but it is still not very nice and with a faked map data you could possibly send people to places they don't want to go to. :wink:
Obviously you could also use HTTPS to deliver the updates. This would even have the advantage that you also protect the users from eavesdroppers, who want to get out for what countries the user downloads maps. This could allow the attacker to predict vacation trips e.g..