having function to get AdvertisingIdClient.Info
private static AdvertisingIdClient.Info getAdsClientInfo(#NonNull final Context context) throws GooglePlayServicesNotAvailableException, IOException, GooglePlayServicesRepairableException {
int isGPAvailable = GoogleApiAvailability.getInstance().isGooglePlayServicesAvailable(context);
if (isGPAvailable == ConnectionResult.SUCCESS) {
return AdvertisingIdClient.getAdvertisingIdInfo(context);
}
return null;
}
it uses AdvertisingIdClient.getAdvertisingIdInfo(context)
there are three libs in https://developers.google.com/android/guides/setup
Google Mobile Ads com.google.android.gms:play-services-ads:20.1.0
Android Advertising ID (AAID) com.google.android.gms:play-services-ads-identifier:17.0.0
Lightweight version of Google Mobile Ads com.google.android.gms:play-services-ads-lite:20.1.0
what are the difference among these, and which one is safe to use for the purpose?
It turns out that com.google.android.gms:play-services-ads-identifier:17.0.0 is fine for this case but change the GoogleApiAvailability to GoogleApiAvailabilityLight and it will be included in this dependency.
Related
How I can detect that HMS services are available for some phone?
The question is a duplicate of answer but let it be cause googling with check huawei services is available didn't provide me with a link for StackOverflow question (Have both GMS and HMS in the project). Let Google indexing this for better search possibilities.
First of all you should read this answer.
The answer contains the link to the old documentation version of HMS. Here is the new one - link. Find the isHuaweiMobileServicesAvailable method and read about return constants description.
Best wishes!
You can use this method to detect
public static boolean isHmsAvailable(Context context) {
boolean isAvailable = false;
if (null != context) {
int result = HuaweiApiAvailability.getInstance().isHuaweiMobileServicesAvailable(context);
isAvailable = (com.huawei.hms.api.ConnectionResult.SUCCESS == result);
}
Log.i(TAG, "isHmsAvailable: " + isAvailable);
return isAvailable;
}
we implemented authentication (and signing) using the androidx support library. It works perfect on Device with Android 10 (also the DeviceCredentialUnlock) and with Biometrics (the code is little different, as we want to know if it was signed with biometrics or with device credentials).
With Android 8 and older it never calls the callback. No error message is logged, the CompletableFuture is never completed.
CompletableFuture<String> signingResult = new CompletableFuture<>();
final String title = fragmentActivity.getString(R.string.LockScreenTitle);
final String description = fragmentActivity.getString(R.string.LockScreenDescription);
final String data = "testData";
Executor executor = ContextCompat.getMainExecutor(fragmentActivity);
final BiometricPrompt.AuthenticationCallback callback = new BiometricPrompt.AuthenticationCallback() {
#Override
public void onAuthenticationError(int errorCode, #NonNull CharSequence errString) {
LOGGER.info("onAuthenticationError");
Exception exception = mapAuthenticationError(errorCode, errString);
signingResult.completeExceptionally(exception);
}
#Override
public void onAuthenticationSucceeded(#NonNull BiometricPrompt.AuthenticationResult result) {
super.onAuthenticationSucceeded(result);
try {
LOGGER.info("onAuthenticationSucceeded");
String signedData = SignInternal(data);
signingResult.complete(signedData);
} catch (SecureTokenException e) {
signingResult.completeExceptionally(e);
}
}
#Override
public void onAuthenticationFailed() {
LOGGER.info("onAuthenticationFailed");
signingResult.completeExceptionally(new SecureTokenException(SecureTokenException.ErrorCode.ABORTED_BY_USER));
}
};
BiometricPrompt.PromptInfo promptInfo = new BiometricPrompt.PromptInfo.Builder()
.setTitle(title)
.setDescription(description)
.setDeviceCredentialAllowed(true)
.build();
final BiometricPrompt bp = new BiometricPrompt(fragmentActivity, executor, callback);
fragmentActivity.runOnUiThread(new Runnable() {
#Override
public void run() {
bp.authenticate(promptInfo);
}
});
try {
String signed = signingResult.get();
The keys are generated with the .setUserAuthenticationValidityDurationSeconds(5); property. the sign Method uses the authenticated for signing. But the callback is never called, so we do not come to this point (at Android 9...).
Thank you for your help!
I've recently implemented the androidx biometric lib in my app. First of all the BiometricPrompt.PromptInfo.Builder.setDeviceCredentialAllowed() is deprecated and we should now use the BiometricPrompt.PromptInfo.Builder.setAllowedAuthenticators(int) instead. The int parameter passed to that function must be one of or a combination of the enum values in BiometricManager.Authenticators:
BIOMETRIC_STRONG
BIOMETRIC_WEAK
DEVICE_CREDENTIAL
This Android Developer docs describes the different enums:
https://developer.android.com/reference/androidx/biometric/BiometricManager.Authenticators
From Android Developer docs on Biometric Authentication (I recommend reading this guide btw):
Note: The following combinations of authenticator types aren't supported on Android 10 (API level 29) and lower: DEVICE_CREDENTIAL and BIOMETRIC_STRONG | DEVICE_CREDENTIAL. To check for the presence of a PIN, pattern, or password on Android 10 and lower, use the KeyguardManager.isDeviceSecure() method.
Below is a small block of code that I use to setup my biometric prompt, hopefully this and the information above will guide you in the right direction.
val bioPromptInfoBuilder = BiometricPrompt.PromptInfo.Builder()
.setTitle(authPromptParams.promptTitle)
.setSubtitle(authPromptParams.promptSubtitle)
when {
Build.VERSION.SDK_INT > Build.VERSION_CODES.Q -> {
bioPromptInfoBuilder.setAllowedAuthenticators(
BiometricManager.Authenticators.BIOMETRIC_STRONG or BiometricManager.Authenticators.DEVICE_CREDENTIAL
)
}
kgm.isDeviceSecure -> {
bioPromptInfoBuilder.setAllowedAuthenticators(
BiometricManager.Authenticators.BIOMETRIC_WEAK or
BiometricManager.Authenticators.DEVICE_CREDENTIAL)
}
else -> return null
}
Basically Android 10 and below supports different combinations of the BiometricManager.Authenticators enums.
My application I'm making must have to able to download files from Google Drive. So, The app should check that user has Google Drive. One class named DriveDetector is role of checking this facts. Actually, And basically all of Android Phone have Google Application that including Google Drive. Android users cannot remove the Google Drive completely, but they're able to be Google Drive invisible. HOW TO CHECK GOOGLE DRIVE IS ACTIVATED ON THE USER'S PHONE? Thanks to read my question post.
import android.content.Context;
public class DriveDetector {
private Context context;
public DriveDetector (Context context) {
this.context = context;
}
public boolean hasGoogleDrive() {
}
}
you can check if application is already installed in phone or not by following:
public static boolean isAppInstalled(Context context, String packageName) {
try {
context.getPackageManager().getApplicationInfo(packageName, 0);
return true;
}
catch (PackageManager.NameNotFoundException e) {
return false;
}
}
you can call this method to check for google drive like this:
boolean hasDrive = isAppInstalled(context, "com.google.android.apps.doc");
I've throughtoutly searched this site as well as others for answers and found no actual one.
My question is what exactly does the Freedom Hack (which allows users to get in-app purchases without paying) do. That is, what part of the process is altered. I've found this list of applications for which the hack works, and some of the entries there are dated to this month, meaning that it hasn't been completely fixed yet. The responses I've seen were "verify the application in your server", but if the hack, for example, alters the Java.Security's signature verification function, so it always returns true, then adding my own signature in the server wouldn't help much.
I don't know if the author still follow this topic or not. But I spent sometime to find out (googling) the way how freedom work and how to prevent it (until they update the way freedom work) in my project and it works. My implementation is really simple and you don't need to verify by sending request to server (which affect the performance and take more effort to implement it).
The current implementation of freedom is that it will replace (redirect) all the method calls of java.security.Signature.verify(byte[]) to a freedom's jni method which in turn just simply always return true (or 1).
Take a look at java.security.Signature.verify(byte[]):
public final boolean verify(byte[] signature) throws SignatureException {
if (state != VERIFY) {
throw new SignatureException("Signature object is not initialized properly");
}
return engineVerify(signature);
}
Here the engineVerify method is an abstract protected method which is first defined in java.security.SignatureSpi(Signature extends SignatureSpi).
OK, that enough, because I can't believe java.security.Signature.verify(byte[]) method anymore, I would use engineVerify method directly. To do that, we need to use reflection. Modify the verify method of IABUtil/Security from:
public static boolean verify(PublicKey publicKey, String signedData, String signature) {
Signature sig;
try {
sig = Signature.getInstance(SIGNATURE_ALGORITHM);
sig.initVerify(publicKey);
sig.update(signedData.getBytes());
if (!sig.verify(Base64.decode(signature))) {
Log.e(TAG, "Signature verification failed.");
return false;
}
return true;
} catch (...) {
...
}
return false;
}
To:
public static boolean verify(PublicKey publicKey, String signedData, String signature) {
Signature sig;
try {
sig = Signature.getInstance(SIGNATURE_ALGORITHM);
sig.initVerify(publicKey);
sig.update(signedData.getBytes());
Method verify = java.security.SignatureSpi.class.getDeclaredMethod("engineVerify", byte[].class);
verify.setAccessible(true);
Object returnValue = verify.invoke(sig, Base64.decode(signature));
if (!(Boolean)returnValue) {
Log.e(TAG, "Signature verification failed.");
return false;
}
return true;
} catch (...) {
...
}
return false;
}
That is simple but it works with the current implementation of freedom until they update its algorithm in the future.
then adding my own signature in the server wouldn't help much.
That is not correct, the signature that "Freedom" uses is invalid and the order id is also invalid.
What I did to ensure that my Application is safe is:
Send isPurchaseValid(myPurchase.getSignature(), myPurchase.getOriginalJson()) to my server to verify over there and it works with real purchases but freedom fails everytime.
On the server I check if the signature matches
If it does match I contact "Google APIs Google Play Android Developer API > androidpublisher.inapppurchases.get" to verify that the Purchase exists and that returns my developer payload.
I then use the developer payload to make sure that this purchase is for this specific user and not some other user and this user is sending me his data.
P.S. The developer payload is a String you set before the purchase is made from your android app, it should be something unique to your user.
It maybe a lot of work but It ensure that no one will buy your stuff with freedom and succeed.
The only thing that I am unable to do is not let freedom have an affect on my application, for example the folks in Path did something I don't know what which made Freedom have no effect what so ever!!!!
I'm using something like this, I know it's not a good solution compared to a remote server check for your signature. I'm checking if Freedom app is installed, if so I'm not opening my app.
#Override
protected void onCreate(Bundle arg0) {
super.onCreate(arg0);
if(isHackerAppIsntalled())
finish();
}
private boolean isHackerAppInstalled() {
final PackageManager pm = getApplication().getPackageManager();
List<ApplicationInfo> packages = pm
.getInstalledApplications(PackageManager.GET_META_DATA);
for (ApplicationInfo packageInfo : packages) {
String packageName = packageInfo.packageName;
if (packageName.contains("cc.madkite.freedom")
|| packageName.contains("madkite.freedom")) {
return true;
}
}
return false;
}
Im developing an app with the latest android version (4.2.1 API-Level 17) for tablets with multiuser capabilities.
I want to restrict certain features (like the access to the app preferences) to the owner of the tablet (that is the user who can add and remove other user accounts)
is there any way i can find out if the current user is the owner?
i read through the UserManager and UserHandle API docs but couldn't find a function that allows me to check for it.
have i missed something or is there another way to do that?
Similar but without reflection:
static boolean isAdminUser(Context context)
{
UserHandle uh = Process.myUserHandle();
UserManager um = (UserManager) context.getSystemService(Context.USER_SERVICE);
if(null != um)
{
long userSerialNumber = um.getSerialNumberForUser(uh);
Log.d(TAG, "userSerialNumber = " + userSerialNumber);
return 0 == userSerialNumber;
}
else
return false;
}
You can create an extension property in Kotlin to make it simpler:
val UserManager.isCurrentUserDeviceOwner: Boolean
get() = if (SDK_INT >= 23) isSystemUser
else if (SDK_INT >= 17) getSerialNumberForUser(Process.myUserHandle()) == 0L
else true
Then, using it is as simple as the following:
val userManager = context.getSystemService(Context.USER_SERVICE) as UserManager
if (userManager.isCurrentUserDeviceOwner) TODO() else TODO()
You can further reduce boilerplate by using global system services definitions that makes userManager and other Android System Services available anywhere in your Kotlin code, with code included in this library I made: https://github.com/LouisCAD/Splitties/tree/master/systemservices
After researching further i found out that the multiuser api is not functional yet, it cant really be used for anything. there is a hack though for checking if the user is the owner using reflections:
public boolean isCurrentUserOwner(Context context)
{
try
{
Method getUserHandle = UserManager.class.getMethod("getUserHandle");
int userHandle = (Integer) getUserHandle.invoke(context.getSystemService(Context.USER_SERVICE));
return userHandle == 0;
}
catch (Exception ex)
{
return false;
}
}
This works for me on the Nexus 7 and Nexus 10 with Android 4.2.1
Its very dirty. so i wouldnt recommend using it unless you are making an app thats device and version specific