Jb3void wrote:Right now if you do app development in most cases you are also code signing the app
Not me. I figure if they have access to the server such that they can replace components then everything is already compromised. Not to mention that if they can do so in a useful manner then I would suspect an inside job as well (which the vast majority of breaches are anyways.)
Jb3void wrote:Server receives a request for a particular client app, based on the request param's server changes the app's resources then code signs it, replying with the final result.
Not sure I understand what that scenario is suggesting.
Code signing involves using a certificate when the code is built (part of the CM build process) to provide security when the application runs. It allows the application to verify resources that it loads, such as a library.
That is a limited scope solution. All that is required is that a local machine (not cloud) is using for the final step of the process before delivery.
Your statement above suggests you are doing something in the normal client message handling scheme. That would be outside the scope of what I laid out.
Now I can see that if you are using a cloud server to do your builds then that would appear to be a problem for normal code signing. But your description would not seem to jive with that.