I am creating a personal application that can locally manage/control an android device. In particular, I want to be able to do things such as lock down the device, enforce password policies, and wipe the device according to the local state of the device. I have reviewed a number of possible ways of doing this, but that is where I run into trouble.
According to this documentation, DeviceAdmin is essentially deprecated (i.e. the device must be Managed or have Managed Profile to access most of the DeviceAdmin API).
According to this documentation, creating a custom Device Policy Controller (DPC) is essentially deprecated. Side note: from context I am assuming a DPC is essentially a DeviceAdmin with a Managed device/profile but I can't find anywhere that explicitly states that (please correct me if I am wrong).
And finally I'm lead to the Android Management API, which at first seems to be what I want. Until I go through the quickstart and find out that I have to create a server and manage the device through a client-server relationship. As a reminder, I am looking for a way to locally manage the device. Now there are release notes indicating that local management may be coming in the future, but that is not now.
So here is my question: is there a currently supported way to locally manage a device?
I am aware of a developer hack that can set an application as a device owner. And while this may be able to work for my personal use, that seems like a pretty big hole in terms of enterprise management.
It is correct that, as of today, Android Enterprise has no way to manage a device locally. There is an open feature request to add support for the local execution of commands as part of our push for extensibility integration with the AMAPI SDK. But as mentioned, it is not currently supported.
Despite Android Enterprise no longer accepting new registrations/validations for custom device policy controllers (DPCs), developers can still build a device policy controller to lock down a device, enforce password policies, and wipe the device according to the local device state. You can still build one and deploy it to your device with a QR or NFC. That said, it's important to note that the DPC would NOT be able to use the Play EMM APIs (so, no app management via the Play Store). This limitation may disqualify the solution for you.
Related
I want to build an app to transfer message history between iOS and Android.
Apple does not allow third party apps to access messages, but Samsung Smart Switch circumvents this by using either phone-to-phone USB connection or by accessing iCloud. Google phone transfer seems to do a similar thing.
How do these apps make this possible and is this something third party developers can do?
I don't think you can transfer things over like that from Android to Apple iPhone unless they give you the option when you are first setting up the iPhone to transfer contents over from android and it also transfers the messages.
Another option though it's been a long time since I have used an Android device. You could use something like https://messages.google.com/web to load up your android messages from your phone and possibly just export them and save them to your computer.
As for developing such a tool, working within the messages API for apple. I think you can only develop extensions or addons but can't directly access the content for security reasons. Without further research, the companies might be only allowing the company to do this via a contract between them, but would not let a 3rd party vendor such as you or I access this data.
https://developer.apple.com/app-store/review/guidelines/
Nowhere in the guidelines does it specify that you can't access the SMSes. But you can only access it if you use private methods which are not allowed and will get your app rejected.
You can only access data for which Apple supplies a documented API. You can not access files outside of the Sandbox of your App unless Apple provides an API for it.
I have an Android application on Play Store and I want to detect if a user is using the original version of the app downloaded from play store or a mod apk from other sources.
Your Question
I have an Android application on Play Store and I want to detect if a user is using the original version of the app downloaded from play store or a mod apk from other sources.
A very simple question that embraces so many things to be fully answered, but from an high level view you can tackle this from within you mobile app or doing it from the outside.
Detecting from Within the Mobile app
Doing it from inside is known as RASP:
Runtime application self-protection (RASP) is a security technology that uses runtime instrumentation to detect and block computer attacks by taking advantage of information from inside the running software.
RASP technology is said to improve the security of software by monitoring its inputs, and blocking those that could allow attacks, while protecting the runtime environment from unwanted changes and tampering.
One thing that I observe often is that many developers are not aware that any protection they may add to the mobile app code to try to secure it can can be bypassed during runtime with an instrumentation framework, even when the code itself is strongly obfuscated. A well known instrumentation framework used to manipulate code at runtime is Frida:
Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
In the case a developer adds a function to their code to detect if the app is the original one, the attacker will eventually find it through static analysis of the binary or through dynamic analysis at runtime, and then use Frida to hook on it to change the outcome, like returning always a result that says it's the original one. Another alternative for the attacker is to recompile the binary without said function, thus removing the protection.
So, Am I saying for you to not use self protecting code or RASP solutions on your mobile app?
No, I recommend you to use all the mechanisms you can afford in order to stop the bad actors, but you also need to be aware that they can bypass them, and try to make as hard as possible to overcome your defences, to the point that it will be time consuming for them and they will just prefer to go elsewhere to look for easier targets.
Detecting from outside the Mobile App
A better alternative is to delegate to outside the app the detection when it's running or not an original version of the binary, and if it doing in a device that is not rooted or jail-broken, and this can be done by using the Mobile App attestation concept, that I explain on this answer I gave to the question How to secure an API REST for mobile app? in the section about A Possible Better Solution.
In a nutshell the Mobile App Attestion is a solution that when full implemented attests if your mobile app is the genuine and untampered version you have uploaded to the play store, and that is running in a trusted device, not jail-broken or rooted.
The Mobile App Attestation solution differs from RASP solutions in the fact that the decisions are made outside the mobile device, therefore cannot be manipulated by instrumentation frameworks, and they also issue a JWT token that allows the backend for the mobile app to know when it can trust in requests is receiving from it.
Summary
RASP solutions fall short, because usually they don't let the mobile api backend know if the request is from a genuine version of the mobile that is running in a trusted environment, aka a device not rooted or jail-broken, but even if they do that, once the logic for doing so is running inside the mobile app, it can be manipulated by the attacker with Frida or similar tools.
On the other hand a Mobile App Attestation solution will make decisions outside the mobile device and allow the mobile api backend to be aware when it can trust or not in the incoming requests.
Do You Want To Go The Extra Mile?
In any response to a security question I always like to reference the excellent work from the OWASP foundation.
For APIS
OWASP API Security Top 10
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
For Mobile Apps
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
This is possible if your app is using an external server under your control providing some important functionalities to make the app useful. This might be some cloud database or an enrollment feature. For offline or device only apps the following approach will not work.
When using the SafetyNet API the SafetyNet is returning as part of the response to the server under your control a apkCertificateDigestSha256 from the app executing the call. This can be checked if it is matching your app.
Note, that the evaluationType from the response is also important. Newer devices and versions of SafetyNet are supporting here HARDWARE_BACKED making shielding frameworks like MagiskHide useless.
I am trying to achieve a use case where on installing an app, all print services barring one would get disabled on the Android device.
To achieve this, I looked into Android's Device Administration API capabilities but that doesn't fulfill the use case. I also looked into Google's Android for Work framework and arrived at the following observations / possible solutions -
By setting up managed profiles (work profile): This was introduced from Android 5.0 but can only manage the listed/enterprise controlled and has no control over other apps as mentioned in the below links -
https://developers.google.com/android/work/build-dpc
https://developer.android.com/work/managed-profiles.html
By writing a Device Policy Controller (DPC) app: To achieve the specific use-case the DPC would have to run as the device owner in which case the provisioning needs to be done via NFC and is not straightforward. Also, this scenario is generally meant for corporate owned, single use (COSU) devices.
So my questions/doubts here are -
Is there any straightforward way in which this use case can be achieved?
Is this even achievable as it violates the Android Security model?
You should write your custom DPC. Right now you can do provisioning using several methods. If you have devices which use Android 7 and above you can use QR code provisioning which is quite convenient. For this purpose you can upload your dpc apk to a remote server and write information about the server, application DeviceAdminReceiver and apk checksum to QR code (you can take this QR code as example).
You can check to google awesome project TestDPC which will give your deep understanding of what is DPC and how can you use it.
You can read more about provisioning methods in android documentation. Also if you can contact the manufacturer of devices you can ask him to preinstall your custom dpc.
It is achievable and doesn't violate Android Security model because during provisioning your dpc app it get Device Owner (root). So you can do anything without any restrictions. Here you can check device owner API and possibilities. Also take a look at TestDPC source code and you will understand that nothing is impossible with Device owner mode :)
(Sorry for my english)
I'm new using Android (in fact, I'm just testing android) and I have a lot of questions...
Well, let me explain you the situation. In this moment, in my job, I am writing my code with C# and run it on Windows Mobile 6, the apps are used to make sales, send bills, reserves, etc. The devices (iPAQ 216) are given to the salesmen, and they must use the apps and update them via internet.
Each salesman have a unique client list, unique data and (in some cases) an unique set of apps, which means that I need to prepare a different package for each salesman. Using a Microsoft tool (cabwiz) I can prepare automaticaly a different package for each one of the 150 salesmen. They download their specific package using a tool wirtten by me, and install it and everyone is very happy (maybe)...
Is that possible in Android? How? and if it is not possible, do you know an idea how to accomplish somewhat like that...?
It's not going to be as easy as cabwiz, I can tell you that. But it would be possible, theoretically, to write a script that modifies/generates the unique portions of the source and then compiles a new copy for each user.
If the only difference between the apps is the data on them, then there is no need to generate a different package for each user: have the app download the data from your server and save it after the app is installed. You could also make some modules (I can only guess what kind of functionality you're talking about with regards to different apps per user) only accessible to particular users.
Yes, it's possible however:
You may want to look into writing in java rather than C# as that's more officially supported on android
There are some limitations of the android APIs, in particular there are basic behaviors of the device that can't be altered - without rooting there's no equivalent to the "hook" functionality of windows.
Make sure you get devices with the menu option to enable installation of applications from 'unknown sources'; otherwise deployment will be a lot more difficult. At that moment, this amounts to avoiding AT&T, as their devices presently confine you to the android market or physical connection to a machine running the developer tools as distribution channels. (As a work around you can upload your apps to the market and not publish them, though that won't fully keep them private unless you also include something to require authorization when they run. You could also install the minimal set of dev tools on the salesmens' laptops)
You will probably want to learn about the command-line application build tools and scripting in order to generate a custom apk for each salesman. Once the devices are set to allow unknown sources, you should be able to email the salesman the apk (or a link to it) as an attachment. You should also be able to make the custom apk refuse to run except on a device matching some fingerprint data you've previously collected. While you can develop for android under windows, you may want to look into switching to linux in order to make some of this scripting a little more natively elegant.
This is regarding google apps Device Management policy third party application which I got from android market in 2.2 .
I registered an account in Google Apps domain in order to use this account for enabling device management policies. I need to know the process in which remote wipe out feature can be achieved using this application in an enterprise manner. I need to login as an administrator in this application and need to wipe out the user secured data in his device on his request.
Is there a way in which I can achieve this using this 3rd party application?
I will be waiting for reply with the process in which this application can be used in Enterprise scenario.
Thanks in Advance.
If you are looking for device management in an enterprise scenario, you might want to take a look at Oracle Database Lite Mobile Server.
It provides enterprise device management features, including the ability to remotely wipe data on the client. However it does much more than that. It also includes a configurable two-way data sync engine and a management console for provisioning and monitoring devices. You can read more about it, and even try it out here:
http://bit.ly/eJOzhN
Maybe overkill for what you’re trying to do, but if you also need to provision applications and sync data between your devices and a backend database, this could be an ideal solution for you.
Good luck, hope you find a solution that meets your needs.
-- Eric
Your question is not programming related.
Please use:
https://android.stackexchange.com/
for Android superuser type questions.