I recently got a security issue for the app i'm working for: The possibility to run on rooted devices. I discovered that is hard to prevent this situation. My first try was to implement RootBeer. Sadly, there are tools like Magisk Manager which can trick your app to not recognize the device as rooted.
After some research, i found that SafetyNet has been finally "fixed" so the app can't be used through Magisk anymore. To do so, i need to send to my server a JWS token generated using a nonce (received from the server, as Google recommends).
All good by now - my main problem is that my app can be used offline. A solution for this would be to verify JWS token locally, but that will open vulnerabilities.
I need your help to understand what should i do in order to prevent the app to be opened on a rooted device, using SafetyNet (or other way), on both online & offline mode.
Thanks!
I would suggest something more hybrid. You could use the RootBeer for offline usage and the SafetyNet for online.
I have recently started to develop an Android SDK that detects device's security. It has some checks such as Root detection, Mock location, VPN network, App is running in a sandbox and more to come) that may be crucial for fraud use cases.
So if you need something more detailed in your detections in order to determinate if it's suspicious based on the use case you could give it a try.
Of course any feedback for improvement is welcome.
https://github.com/AppSafetyTech/safesdk-android
Related
I am working on a mobile application and would like to inform users when an update is available, if that user's device is not managed by an MDM. If the device is MDM-configured, we don't expect the end user will be able to update the app without the configuration being changed by the administrator. To provide a better user experience, we want to provide relevant information. To do this, I'd like ideas to determine if an app (written in Kotlin/Swift) can poll for this type of information.
I saw some things in the Android Docs about checking for Restrictions Providers, but I think this is the wrong avenue. I'm not very familiar with this, so correct me if I'm wrong.
I have an app that has some unknown devices listed in the analytics portal I use.
I was wondering if Android and iOS have a method that I can call which tells me if the app has been downloaded and opened using an emulator?
I've thought of accessing the device's IMEI, but this is only for mobile phones and doesn't cover tablets. Any help would be greatly appreciated.
You can try filtering out the Connecting device's by their device's model number, name and id.
For that you first need your app to parse the data from the phone, and then send this data to your server while authentication.
The server checks the robots list and then authenticates the exceptions (genuine users).
NB: Nowadays emulators are updated, they are capable of spoofing a Device Name, Model and ID. So it's a hectic job to detect spoofer's.
Just a Mere Concept out of Thoughts, Might possibly work!
There are couple of methods out there. Android includes a built in method,but some of them can be maneuvered.
Android includes some system properties that keep such information. they can be accessed using the getprop utility and there are ways to get the problematically.
More specifically, the "ro.build.characteristics" will contain the word "emulator" when running on emulator.
Long story short: There are couple of libraries that are capable of doing this and are consider reliable.
Here is a good example:
https://github.com/framgia/android-emulator-detector
For iOS see this answer
As a side note. if you are concerned about having a safe environment to run your application, take a look at SafetyNet
Can any one help me out how to do MDM Integration in Android from client and server prespective?
I want to do an enterprise application which having lock and wipe functionality. I have no any clue of workflow of MDM in Android.
Thanks.
Android Device Admin API will do both things what you want to do (lock/wipe device and even more). An example is given and also you can find this complete source code in your Android SDK directory.
Now as client server perspective:
You have to implement your task (lock and wipe) in your android application (in client, i.e. known as agent). Now your application should be capable to communicate with your server or vice-verse.
I am 100% agree with adamk as he said "Remote controlling your application remains exclusively your responsibility - the Android framework does not provide (or enforce) any solution for that."
And Android gives your this feature too, as adamk said to use C2DM, he was right but now C2DM is deprecated, and GCM has been introduced, “a service that helps developers send data from servers to their Android applications on Android devices.” The service can send a message of up to 4 kb to an application on an Android device, most often to tell the application to retrieve a larger set of data. GCM will now handle all queueing and delivery for messages to Android applications.
You should read how to use GCM, and you can find sample code too. Download GCM Android Library from SDK Manager
and check android-sdk/extras/google/GCM directory
After establishing successful communication between your agent and server, evaluate msg in agent sent by server and perform desire action (lock/ wipe). This is again up to you how you define your message payload and how you handle those payloads in agent application.
Here is an article about Android MDM.
Happy Coding :)
You can use DeviceAdmin to gain privileges for managing the Lock preferences and performing device wipe (among other stuff).
(The user must add your app as a device administrator beforehand)
Remote controlling your application remains exclusively your responsibility - the Android framework does not provide (or enforce) any solution for that.
You may want to consider using Google's C2DM API, which is a convenient push mechanism.
As mentioned in the above answer, DeviceAdmin API can help. If you are using an Android device, you might know about the Android Device Manager (the web-based version) which allows you to manage your device. Basically, you can track, locate, lock, and wipe your device, some of the basic features of an MDM solution. So, in coding (though I am not a coding expert), you need to get access to the Device Manager (I guess, using some listener codes, or notification access).
Apart from this, MDM allows creating policies and groups of users (which would be a part of the coding in the app itself), then pushing the command over the internet (or OTA) to the connected device.
MDM also allows managing Apps and Data on the device, for which, you need the app to get access to the internal as well as external device storage.
Hope this helps. Good luck creating your MDM software
There is a Google+ mobile application for Android. To receive all the information it must be using some API.
How I can retrieve this information from my phone and see from where this app is getting data? I'd love to access it myself and see how it works.
You are talking about "reverse engineering" a network protocol.
Full sniffing
Get a market enabled emulator: How to install Android Market App on the emulator?
Get a network sniffer: tcpdump, wireshark, ...
Start to sniff what's going over the wire
http://www.thoughtcrime.org/software/sslstrip/ - an ssl stripping proxy
Inject your ca: http://www.mcbsys.com/techblog/2010/12/android-certificates/
This should, in theory, enable you to sniff any https or plain text connection.
Already available APIs
I would not try to hijack the connection. There is already a contacts API, it's called xmpp. You should be able to use the talk integration to pull your friend list.
Future APIs
You may also want to sign up for the upcoming API.
UPDATE
It appears that the Android client uses (at least partially) XMPP. The regular client requires an open XMPP connection and you can see a "RealTimeChat" in your logcat. It looks like the connection is encrypted because you get a "TLS required" message (the client seems to go through the XMPP connection states). I'm not sure if that's used for client based posts or just for server push. You can see the open connections with the help of "netstat". The connection goes away when google plus terminates.
I'd thus expect the API to be really open once released (or rev.eng).
UPDATE 2 (06. Jul. 2011)
Hangout is build on XMPP/MUC+JINGLE (muc == multiuser chat, jingle is roughly a SIP alternative on top of XMPP). And yes, they'll release the the details of it :-)
UPDATE 3 (06. Jul. 2011)
Multiple XMPP components for gtalk/gplus have been revealed by reading the JS code. It also emphasizes that they have build a great deal of features on XMPP.
They haven't launched the API yet. If there is something you want to build on Google+, they encourage you to signup here: https://services.google.com/fb/forms/plusdevelopers/
The API hasn't been released yet. Heck, the product hasn't even been released yet. Thats like developing a video game for playstation 5.
Yes it is. Its coming "soon" read :: http://www.webpronews.com/api-coming-soon-for-google-plus-2011-07
I'm writing an Android app that communicates via HTTPS with a server application. On the server side, I have to be absolutely sure about the Android app's integrity. This means that the server app needs to be sure that it's communicating with the Android app that I developed and not with a re-written one (e.g. after decompiling the original app or after having rooted the device).
Is there a possibility to ensure that? Maybe there is a possibility with the signature of the apk file?
Any hint is appreciated.
Regards,
Peter
You are trying to address a known problem:
You can never trust an application on an open device (mobile phone, desktop computer). In order to trust it, it should be tamper proof. An example of such device is a SmartCard. Mobile devices are certainly not it.
You should never send data to device that user is not supposed to see. The implication of this is that all business logic must be done on the server.
All requests to the server should be authenticated with user's credentials (username/password) and made via a secure protocol (HTTPS/SSL).
No way. Whatever is in user's hands, is not yours anymore. Even if you somehow manage to transfer the APK to the server for validation, nothing prevents the hacked program send an original copy to the server.
In order to validate that your software is running, the client devices need to be able to provide remote attestation services, which is one of many piles of acronyms in the TPM world. I found that someone has been working on providing TPM services, including IBM's IMA, which is almost good enough for what you want.
Details here: http://www.vogue-project.de/cms/upload/vogueSoftware/Manual.pdf (Google Quickview).
Of course, this is emulating the TPM, and requires patching the Android kernel. But perhaps one of the various manufacturers would be willing to build a model with the TPM hardware included for you?