Can I pair smartphone over Bluetooth without a need to confirm this in user interface, accept to pair this devices. I use android studio. I don't need to exchange data over them, I need just pairing without any action. And then safely pair with smartphone over Bluetooth without any user's action?
Yes and no, but you shouldn't anyway.
The only way to do this in Android is by using the BLUETOOTH_PRIVILEGED permission, which, as you can see, is only granted to apps in /system/priv-app/ or apps signed by the platform key of the device.
So unless you have root and can move your app to /system/priv-app/, you can't do what you want. Even if you can do this, however, don't. It's not a good user experience when someone installs an app, only for it to move itself to the system partition and start pairing without any notification.
Related
We have our own rooted hardware device with android OS 7.0
We are building an app for that device. We have to restrict the users to performing some of the actions who will purchase that device. Here are the list of actions We want user to be restricted to perform on the device through the app.
Stop installing/uninstalling any other apps from OS.
On/off wifi
Pair Bluetooth
Change wallpaper
Basic idea behind is to make an app which will be the system app and will restrict user from the things mentioned above.
Is this possible to make such app? Looking for help in any of the above tasks. Thanks
Shor answer: NO.
Here is why;
The Android operation System is based on permissions, and no app can restrict that actions even with the users' permission. The reason for this is because of the Android App Layer that provides all the capabilities you described above.
The only way you can do such thing is to Customize the ROM of the CellPhone. In this case, you can override the functions that allow the user to use such services.
The linked imgae shows a meesage box that pops up when I try to configure the VPN programaically (using ToyVPN).
https://www.dropbox.com/s/fpc9df0k0w15nfw/screenshot.png
Is there any way to bypass this message without rooting my device?
Thanks in advance.
No, and even a rooted device is likely to say the same. This is Android's security framework kicking in. Because a VPN intercepts all network traffic, this potentially impacts all apps on your device, not just this one. Hence the need to explicitly gain approval from the user.
I'm currently doing some research about my project, a smartphone tracking native application, and I have four questions. Links to any material I can read up will be greatly appreciated, and the most useful/comprehensive response will be accepted.
The primary target smartphones are the Android, Blackberry and iPhone models.
For starters I found out here Uniquely Identify an Android Handset that IMEI can be used to uniquely identify Androids but I think I once read that it can be faked. I don't know about the iPhone and Blackberry.
What's the most reliable way to uniquely identify the smartphone device, if any? Can MAC addresses work or is it possible to spoof that? Can IMEIs truly be faked?
Is it possible to "lock" the device with a custom error message remotely via its unique identification, once the device is reported as stolen? This lock state will remain on the phone even when disconnected from the network, until it is reconnected to the network and unlocked remotely once again.
Assuming such a remote phone lock is possible, can such be reversible by the thief? The native app will run in stealth mode so that it cannot be uninstalled.
Can a cross-platform solution work in this case, or will I have to develop various native apps per platform?
EDIT:
Some more context. As Till rightly said, Apple's "Find my Phone" does this exact thing already (I am just finding out about it, but it looks like a perfect fit already). The user who is choosing to install the app is informed that the phone will be uniquely identified if they do install the app. As for locking the device, "Find my Phone" does it (I gather). Now I need to know how that might be possible on the two other platforms.
With regards the iPhone side of things:
You aren't allowed to uniquely identify the iPhone like that. Apple have just forbidden it unless you get the user's permission first. So if they refuse you permission, your app won't function and you'll need to find another way.
No, you can't do that.
See 2. Also you can't run an app in "stealth mode"
See 2.
Only the network operators can talk to the handsets on an IMEI level. The IMEI number IS the MAC address of GSM networks. However, you can't access that unless you have control of the network. Sure you can get the IMEI from the user, but you can't use that to locate the phone. On CDMA networks this address is called the MEID number.
But there are other ways:
You can get location data on either platform with the users' permission. This is the way you should think about developing your application. You'll want to assign a UUID to a user once they download and install your application on their phones. You can then have the phones report to a server every so often (heartbeat). As long as the phone is powered on and connected to a network, the user would be able to locate the phone.
You can also get the phones IP address on the network, among other things -- such as contacts, messages, files, cache data etc..
On Android it's pretty easy to implement this kind of functionality as a service that could would only be visible on the packages page. Further, if you have root access, you can write whatever kind of rootkit you want such that it hides itself from the system. Same with a jailbroken iPhone. I am not as knowledgeabe about iPhone services though.
Either way, the only cross platform compatibility you'd be able to exploit would be perhaps the way data is sent and received from the server. You could use some standard such as JSON to send and receive data (and hence the same server). Although, both platforms have JSON and Apache libraries, the other parts of the apps or services themselves will need to be completely and dependently developed for each platform (UI, Internal Content Handeling, Syscalls, Permissions, etc).
You can remotely lock, wipe, factory reset, etc. Android devices using the security and device administration Android system interface. This still requires the user to grant permission and it asks them an a more.. obnoxious.. way so that they know what exactly they are agreeing to when they give an app device administration permission. If you ever use an exchange server for business or school, it's likely you'll run into this.
I am unsure about remote iPhone device administration on a jailed system.
If you really want something that can't be removed lest you do a factory reset, you'll need to know a thing or two about Unix programming, and a lot about the operating systems that their respective SDK's don't (and probably shouldn't) tell you. You'll need to be comfortable poking around sources and even reverse engineering if called for. If you're still interested, you'll want to hang around the circles that work on custom phone firmware and software for the iPhone, and Android (and Blackberry). I would start with Android. It's probably the easiest since the sources for the AOSP are easily and legally available.
I am developing an application which connects devices over bluetooth and exchanges messages. It works fine for paired devices, but I would also like it to automatically pair devices that are not paired. Like for example it could store and use the same PIN for pairing requests, I just dont know how to manage this request programatically in my applciation, how to automatically set and send the PIN when you get a pairing request and how to initiate such a request with the predefined PIN code.
Any snippets or thoughts would be highly appreciated! :)
EDIT:
I know its risky, I am developing this app for emergency situations only where no other means but bluetooth is available. Also is there maybe a way of premature pairing with devices without even connecting to them? Like lets say there is a list of MAC Addresses of those devices and I can use them to generate a bond with that devices so that they appear paired on my device?
You can't do this. To do what you want to do would create a huge security risk. Think about it, my device just comes anywhere in bluetooth range of yours and now I can send you anything I want without you knowing? You can't really do this and I highly recommend not trying to subvert it.
Reflecting the setPin method allowed me to send the pin automatically to the other device. I had to implement it in a broadcast receiver that is listening for pairing requests. Although I cant get rid of the dialog it just stucks there on the screen and I dont know how to close it (programatically) and continue the bonding procedure since this dialog is called from inside connect() which is a blocking method. I am not giving up on it yet though :)
With Bluetooth version 2.1 and above there is a method of pairing called the 'just works' association model. This is the lowest security method of pairing and has no protection against man-in-the-middle attacks.
However, this will provide a secure, encrypted link without the need to exchange pin numbers or verify device ID.
The API on different platforms may differ but the underlying HCI messages require that you indicate that your device (or one of the devices) has the following IO capabilities:
No Keyboard, No Display.
As you might have guessed, this is a mode for very
simple devices that use Bluetooth, such as a speaker or headphones.
If you can find the API to configure that, then the 'just works' association mode of Secure Simple Pairing will be used for pairing.
The next step is to store the link keys e.g. bonding. Many devices e.g. mobile phones, will still create a dialogue box to the user to ask if they want to 'remember this device', as user authorisation is specified by the BT specifications... but that's another problem.
I'm aware that Android 2.3 has the methods: createInsecureRfcommSocket() and createInsecureRfcommSocketToServiceRecord(). I've been searching for a way to exchange data between devices, both using my application, without the need for pairing/bonding and user confimation. Will these methods allow me to, say, connect to a brand new device never before paired, and exchange data without prompting the user in any way?
Thanks. I was unable to find a specific answer to this question elsewhere.
The pairing process will still happen, except that if Devices are 2.1 and above, then the user will not be prompted for confirmation or for entering passkey during the pairing process. This is called using the "just works" model for pairing.