I get this question when I was looking in any banking,
payment-related apps show a specific icon that indicates a secure environment.
I search on google but I didn't find anything on there.
please check the below screenshot to better understand.
I come across similar question as well, there is no much information about this, firstly I saw this in Samsung S-pay website saying:
A Secure Environment is a physically segregated chip in the phone
which only allows access to highly sensitive operations/information
such as fingerprint and payment information. Normal applications and
malware have no access to the information in a Secure Environment.
If you search more with the keyword Trusted Execution Environment, then you can realize it is a security standard specified in mobile environment. Like this.
So when your Android code are being executed in Trusted Execution Environment, then the "Secure Environment" sign will appear in the app bar to inform you that you are in secure transaction. As per my observation, it is mostly appear when we are using our fingerprint, that actually make sense as accessing fingerprint (or pin) require higher security standard.
Related
I am creating a personal application that can locally manage/control an android device. In particular, I want to be able to do things such as lock down the device, enforce password policies, and wipe the device according to the local state of the device. I have reviewed a number of possible ways of doing this, but that is where I run into trouble.
According to this documentation, DeviceAdmin is essentially deprecated (i.e. the device must be Managed or have Managed Profile to access most of the DeviceAdmin API).
According to this documentation, creating a custom Device Policy Controller (DPC) is essentially deprecated. Side note: from context I am assuming a DPC is essentially a DeviceAdmin with a Managed device/profile but I can't find anywhere that explicitly states that (please correct me if I am wrong).
And finally I'm lead to the Android Management API, which at first seems to be what I want. Until I go through the quickstart and find out that I have to create a server and manage the device through a client-server relationship. As a reminder, I am looking for a way to locally manage the device. Now there are release notes indicating that local management may be coming in the future, but that is not now.
So here is my question: is there a currently supported way to locally manage a device?
I am aware of a developer hack that can set an application as a device owner. And while this may be able to work for my personal use, that seems like a pretty big hole in terms of enterprise management.
It is correct that, as of today, Android Enterprise has no way to manage a device locally. There is an open feature request to add support for the local execution of commands as part of our push for extensibility integration with the AMAPI SDK. But as mentioned, it is not currently supported.
Despite Android Enterprise no longer accepting new registrations/validations for custom device policy controllers (DPCs), developers can still build a device policy controller to lock down a device, enforce password policies, and wipe the device according to the local device state. You can still build one and deploy it to your device with a QR or NFC. That said, it's important to note that the DPC would NOT be able to use the Play EMM APIs (so, no app management via the Play Store). This limitation may disqualify the solution for you.
I would like to be able to read traffic of my Android phone to see what data it's sending. It is running Android 9.
I have been able to use Charles but it can only read traffic that doesn't have SSL. It seems that if I was testing my own application there is something that I can set so it trusts the certificate, but I'm trying to get all traffic (all apps etc). I also have used the apps Packet Capture and NetCapture but they have the same limitation.
Is this video the guy is able to do it, but it appears to be an older version of Android where all apps would've trusted a user installed certificate.
Anyone got any ideas?
On Android 9 installing a custom root certificate usually does not affect the apps, therefore HTTPS connections performed by apps don't trust the certificate from Charles that you have installed. To change this you would have to manipulate every app or modify the Android system itself. Additionally some apps (e.g. Google services and PlayStore) perform certificate/key pinning which totally prevents breaking the HTTPS traffic unless the system is heavily modified:
You have to root your device and install XPosed + multiple modules to allow SSL/TLS interception like TrustMeAlready (or the older projects Just Trust Me and SSL Unpinning).
Another possibility is using Frida in combination with some anti-TLS checking/pinning script(s).
More possibilities are described in this Answer.
WARNING: Doing so totally eliminates the security of each and every SSL/TLS/HTTPS connections on your device Therefore not only you but everybody can intercept the connections made by a device modified this way!
To answer simply... No.
There are ways to look into the traffic but it won't show you much of anything worthwhile. You might be able to take a guess here and there but nothing will satisfy what you are after. I would not waste your time TBH.
Source: Had to do this for my job. Analyzed our app as well as many many others.
Check this out:
https://security.stackexchange.com/questions/83028/possibility-to-sniff-https-traffic-on-devices-without-installing-a-certificate/83039
In the FinTech area there is a lot of talk about the use of Trusted Execution Environment (TEE). I know that on both iOS and Android it is possible to use some key store API's to generate keys and use them for signing/decrypting. But the code oneself writes is running as a normal app.
My question is, is this the only available use of TEE? Or is it possible for a normal application developer (i.e. one who isn't the manufacturer of the handset etc.) to write an app where the code in the app itself runs in the TEE? I have not been able to find documentation with Google or with Apple that describes how this would be done. Is there special API's available?
There are different TEEs out there on different devices. OP-TEE, Trusty TEE, QSEE, TLK, Kinibi (previously t-base, previously mobicore), etc.
From what I know, only Kinibi (since mobicore) allows for app developers to develop/deploy Trusted Applications along with the normal app (without the need for an OEM to sign).
At least with Global Platform standard APIs, your TA may be source compatible across TEEs..
As M. Chang pointed, according to source.android.com it's not possible right now. So, I believe the answer for you question is no. Normal application developer can't write this kind of app.
Third-party application development is not supported in this version
of Trusty.
Hopefully it will change.
Important: Trusty and the Trusty API are subject to change.
(Sorry for my english)
I'm new using Android (in fact, I'm just testing android) and I have a lot of questions...
Well, let me explain you the situation. In this moment, in my job, I am writing my code with C# and run it on Windows Mobile 6, the apps are used to make sales, send bills, reserves, etc. The devices (iPAQ 216) are given to the salesmen, and they must use the apps and update them via internet.
Each salesman have a unique client list, unique data and (in some cases) an unique set of apps, which means that I need to prepare a different package for each salesman. Using a Microsoft tool (cabwiz) I can prepare automaticaly a different package for each one of the 150 salesmen. They download their specific package using a tool wirtten by me, and install it and everyone is very happy (maybe)...
Is that possible in Android? How? and if it is not possible, do you know an idea how to accomplish somewhat like that...?
It's not going to be as easy as cabwiz, I can tell you that. But it would be possible, theoretically, to write a script that modifies/generates the unique portions of the source and then compiles a new copy for each user.
If the only difference between the apps is the data on them, then there is no need to generate a different package for each user: have the app download the data from your server and save it after the app is installed. You could also make some modules (I can only guess what kind of functionality you're talking about with regards to different apps per user) only accessible to particular users.
Yes, it's possible however:
You may want to look into writing in java rather than C# as that's more officially supported on android
There are some limitations of the android APIs, in particular there are basic behaviors of the device that can't be altered - without rooting there's no equivalent to the "hook" functionality of windows.
Make sure you get devices with the menu option to enable installation of applications from 'unknown sources'; otherwise deployment will be a lot more difficult. At that moment, this amounts to avoiding AT&T, as their devices presently confine you to the android market or physical connection to a machine running the developer tools as distribution channels. (As a work around you can upload your apps to the market and not publish them, though that won't fully keep them private unless you also include something to require authorization when they run. You could also install the minimal set of dev tools on the salesmens' laptops)
You will probably want to learn about the command-line application build tools and scripting in order to generate a custom apk for each salesman. Once the devices are set to allow unknown sources, you should be able to email the salesman the apk (or a link to it) as an attachment. You should also be able to make the custom apk refuse to run except on a device matching some fingerprint data you've previously collected. While you can develop for android under windows, you may want to look into switching to linux in order to make some of this scripting a little more natively elegant.
I'd like to access (and change) settings of the stock android browser via code. Is it possible, and if so - how?
YES, it's programming question - i'd like to change it by code, not by manual clicking.
What about doing it for rooted device?
Android's operating system level security model basically prevents this. Your program would need to run as the same user ID as the browser or as the superuser, which is not possible unless you have the certificate used to sign the browser or your application is only for rooted phones.
In the unlikely event that one of these is the case, you would ensure the browser is not running and then simply change its private databases. Looking at the browser source should reveal anything that's not clear about the databases and any other places it might be storing things.
With some work, you could make an alternative browser that is a near twin of the stock one but either cooperates by providing an API for programmatic settings changes, or is signed with a certificate you do possess, so that your other program can establish a shared user id with it and change its settings db.