I'm deploying a large number of Android devices for a project which are owned and controlled by me, including with a Mobile Device Management system.
I don't know how to identify the devices when the device is being used to log into our web-based services. We can know who logs in, obviously, but not what device they are coming from.
Ideally we would know the IMEI or Serial of a device when it logs in, but it can really be any unique identifier
I 100% understand why this information is not typically available to a website -- it's easy enough for advertisers and other to track people! However in our case, we own both the endpoints AND the website, so it seems like something should be possible.
Typically our devices clear the cache on the browser when they reboot, so it likely can't be something based on the cache, but I could explore more options here and see whether it's possible to disable this.
The website is based on React, if that's helpful. However, we could use another page built on whatever makes this easier if needed.
We do also have native Android apps running on the device, but I don't know if we can pull information from them into the browser somehow.
Note that we've tried using the WebRTC method to grab internal IP addresses, which works to some extent but is not ideal since it's inconsistent and is blocked on later versions of Android's browsers. Also if the device changes IP, that method no longer helps.
Related
Seeking any kind of advice/input from this community.
Background Story:
I came across an cracked Amazon Prime Video Android App on divyanet.com (It claims it's the cracked version of the Original Amazon Prime Video Android App. Same movie selections and everything minus paying for the subscription)
I installed it and realized it was a different app in the way that it wasn't the actual Amazon Prime cracked.
To confirm my suspicion. I set up an Environment to capture the cracked app's network traffic.
I ran Genymotion (Android Simulator) and Burp Suite on the same laptop. I proxied the Android instance traffic to that of the laptop's so Burp Suite could capture it.
What I saw was a good learning experience. This cracked app was sending Get requests all over the place. (To many free movies/shows domains and some domains are even being marked as malicious)
Examples:
tovanillitechan.com (Https://malwaretips.com/blogs/remove-tovanillitechan-com/)
tzegilo.com (https://hybrid-analysis.com/sample/6d9faaedd7dd72dc8e0da476e0af4b08d6ca24bf60b498d20e070f90f1b45af1/62aa234f35008f214f1869ac)
unphionetor.com (https://any.run/report/7974be8113970f143fd17339a5c349d499a05ccf99c940b34979f38d283bb1b3/99008e10-24bd-4cb1-aa59-ab8d5baaf0d0)
My questions are: (See links for HTTP Get and response details)
enter code hereRequest Header
enter code hereResponse Header-1
enter code hereResponse Header-2
A: How is the site owner benefitting from tricking users downloading this supposedly cracked app?
(While streaming the movies, there isn't even ads interrupting the movies)
B: I haven't noticed my phone acting weird like slowness or random ads pop up. How can I check to see if anything malicious installed? What are the typical reason for this cracked app calling out to these malicious domains?
Thank you for your help!
Because the app is a trojan and he now has complete control of your device. Some of those malicious requests are likely to command and control servers. Please tell me you didn't use your actual phone, because if so he has access to anything your app had access to, including your email, online banking, etc.
Don't try to figure out what he may have changed. You don't have the skillset for it. Factory reset the device immediately. Even that isn't a 100% sure fix, if you have another device I'd switch to that. And stop downloading cracks, it's a horrible idea. You're taking something from skilled hackers and reverse engineers and running it on your device, and just hoping that someone who has no problem with cracking an app would somehow draw the line at putting a keylogger in there. Hint: they won't.
The covid-19 app is capable of detecting who came into contact with who, how do they do it? I am trying to make something similar but I am unsure how they managed to get that information from the phones. I don't need the information to be private (like phone number), it could be something that only the government can make use of (like sim card number or MAC address. Is that possible?
I looked into Google Nearby and Wifi Direct... But as far as I understand it, it requires a handshake (covid19 app doesn't). I also looked into potentially making your phone into a hotspot and capturing wifi requests but I am not sure which library / API lets me do that.
Does anyone have know how this is done? I can't find a concrete answer anywhere, this seems to be actually impossible until I realized that the covid-19 app is doing it.
As Morrison Chang and ArtHare have commented already, Google and Apple have implemented this on an OS level:
In the coming months, Apple and Google will work to enable a broader Bluetooth-based contact tracing platform by building this functionality into the underlying platforms. (source)
If you want the specs they're using, Apple and Google have pages on how contact tracing is implemented, but it would be hard (if not impossible) for an app to implement this.
Since the process of applying for EMM integration takes an unjustifiably big amount of time and the whole process is described as "incredibly painful" by those lucky ones that went through it, I want to know whether is it absolutely needed to become an EMM in order to have a working Device Policy Controller app (DPC).
If you faced this problem, please share the experience.
I am developing for COSU devices and want to go into a kiosk mode. I am aware of existence of ways of how to do it, but they all implement a bunch of workarounds - this is not an option - I want a controllable, safe and robust way of doing this. I don't care about not having the ability for remote managing also.
You can use Google's new Android Management API to manage Android devices without building a DPC or registering as an EMM.
You just want to write an app that uses Device Policy Owner? That's fairly simple, assuming you own the devices. Just install your app, adb shell in, and run the dpm command to set your app as owner. If you're buying in bulk from a manufacturer you can get them to do it for you in the custom image you install (although you may need to explain what you want, it isn't a common usecase).
Of course everything has its limits. This will work, unless the user manages to do a factory reset. Which you can prevent via the UI, but can generally be reached from recovery modes or from unlocking the bootloader. So its safe from casual intrusion, but if someone really wants to get at your device and they have physical access and time, they can.
It is definitely possible to write your own DPC without registering with the EMM community.
The most convenient option for provisioning the devices is via NFC. for example using a second device, as it is quite simple to write a provisioning application.
See Implementing Kiosk Mode in Android (part 3 and 4)
for a good example.
I had a few problems with some Android 5 devices, but since 6.0 it works quite well.
I want to control installation of my app on each device by sending its ANDROID_ID to a server and control it there. But according to this link in android developers blog this isn't a suitable approach to do that.It says:
the requirement is to identify a particular installation, not a physical device. Fortunately, doing so is straightforward.
I want to know how this way is possible for my needs?
Edits:
let me explain this more clear. I want to get user a registration code and let the user to install my app on 3 different devices by using this code and control this by a server.
First of all, on rooted devices there is not much you can do. When one tempers with the ROM he can make two different devices identical: every API call aiming at finding a difference can be altered to return the same value. So if you want a solution that is absolutely safe, you're screwed.
With normal users seeing the problems in the Android API, I would suggest a hash of every device identifier you can find: IMEI, IMSI, ANDROID_ID, MAC address, Device type, manufacturer... This way you will surely grant 3 installations to normal users.
It's always better to have some free-riders than to have angry customers who cannot install the app on 3 devices because of some Android API bug that gave them the same device ID for their devices.
I am currently working on a research project which involves people playing games on an Android device. I am hoping to be able to write an android app that records the accelerometer and touch events. I would like my users to be able to play games such as angry birds, whilst I record their touching data.
I understand that this type of data collection is possible from inside the app, but is it possible from outside the app? (perhaps via an app running in the background?)
If this is not possible, are there alternatives? (I believe I could theoretically go into the android OS source code and make this happen?)
I understand that this type of data collection is possible from inside the app, but is it possible from outside the app? (perhaps via an app running in the background?)
For touch events, no, for obvious privacy and security reasons. It used to be possible (research the term "tapjacking"), but current versions of Android finally blocked this behavior.
For accelerometer events, you can record those, because they are the same for all apps simultaneously. Bear in mind that your sampling rate may not exactly match that of the app being used.
I believe I could theoretically go into the android OS source code and make this happen?
Yes, though you would then need to turn that modified Android into a ROM mod and install it on devices.
Apps are not allowed to do this on a secured device (ie, consumer phone/tablet that has not been 'rooted').
However, depending on your needs it may be possible with the development tools connected to a computer. If you can do some moderately annoying setup before each controlled-circumstances trial, I believe you can do it on some stock devices by using the USB cable to switch ADB into wifi mode, then monitoring input events over a wireless ADB session. See
http://source.android.com/tech/input/getevent.html
That document seems to imply that 'su' is needed (which is odd as the official 'su' isn't usable by non-root users), however it works without on many stock devices.
You'd probably also want to be running logcat to figure out what application is in the foreground.