We started March out with a two day user experience sprint as a pre-event to RightsCon. We spent two days going through the Bazaar bootstrapping and app swapping experience, based on the bits that we got working in February. We had a number of people join us, including one of the main people behind the Cydia app store for rooted iPhones and a core team member from Psiphon, and it was a very fruitful two days. We did manage to get 4 or 5 people through the whole bootstraping and app swapping procedure at that event. And mapped out all of the possible ways of swapping apps, and put together a scheme for walking the user through the techniques that we found most useful.Lots of notes here:
We also dug into some details of the auditing process, and now have some preliminary links to the data available on https://androidobservatory.org. There, people can find out specific information about the APK that they have installed on their phone, like what other APKs have been signed by the same key, whether its been scene before by others, etc. This can provide powerful links to user generated content like how many people also have this same APK installed, where they got it, whether they trust the provider, etc.
We also dug into the hornet's nest of crypto smartcards (aka Hardware Security Modules aka HSMs). Part of this effort culminated in a HOWTO for using crypto smartcards for signing Android APKs: