We have our own rooted hardware device with android OS 7.0
We are building an app for that device. We have to restrict the users to performing some of the actions who will purchase that device. Here are the list of actions We want user to be restricted to perform on the device through the app.
Stop installing/uninstalling any other apps from OS.
On/off wifi
Pair Bluetooth
Change wallpaper
Basic idea behind is to make an app which will be the system app and will restrict user from the things mentioned above.
Is this possible to make such app? Looking for help in any of the above tasks. Thanks
Shor answer: NO.
Here is why;
The Android operation System is based on permissions, and no app can restrict that actions even with the users' permission. The reason for this is because of the Android App Layer that provides all the capabilities you described above.
The only way you can do such thing is to Customize the ROM of the CellPhone. In this case, you can override the functions that allow the user to use such services.
Related
Is there any difference in the privileges of an Android DPC application and a system application? Will a system application be able to perform all the functions that a DPC can perform such as setting the device to Single Use Mode?
Well, there is no-such difference in privileges as far as the Android system is concerned.
If you look at the Android Platform Architecture, you will find that the even a normal user app have the same access to all the system resources as a system app.
Apps included with the platform have no special status among the apps the user chooses to install. So a third-party app can become the user's default web browser, SMS messenger, or even the default keyboard (some exceptions apply, such as the system's Settings app).
You can read about more differences in system and user app here.
Also, another interesting point to note is that on a production device there are only 3-processes that run as root, the Zygote, the app_process and the adbd (though it doesn't allow root access directly using adb). That means, all other apps run under their own user_id with different permissions and since Android doesn't differentiate between apps, two apps having same permissions are allowed same privileges and access to resources, regardless of the fact whether it is a system app or a user app.
Now, to answer your question, if a system app has the same privileges as the DPC app, then yes the app would be able to perform the given task (like setting the device to Single Use Mode) same as the DPC without any problem.
As a side note, if you are planning to create a DPC for you organisation, using the DPC SUpport Library is better than creating and shipping a system app.
P.S. To change a System setting your app would need the WRITE_SETTINGS permission.
I am developing an app with requirement that one app can be there in android system. No other app can be installed or remove google play store application as well. How can i achieve this?
As long as your device runs Lollipop or greater, you will want to set your app as a device owner. Note, this is different than device administrator. An app is granted device owner permissions only during device provisioning at the welcome screen of the Google Setup Wizard. The device owner is restricted when it can be set because of the control it has. Only one app can be the device owner.
A kiosk solution will set a device up with an app as the device owner. It will suspend all packages that shouldn't be available using setPackagesSuspended.
Some additional links you may find helpful (all require device owner for a COSU/kiosk-mode solution):
setApplicationHidden
addUserRestriction
DISALLOW_INSTALL_APPS
Look into the TestDPC app. Google provides source code to it and it will have most, if not everything of what you need.
https://developers.google.com/android/work/build-dpc
https://github.com/googlesamples/android-testdpc
Other solutions I've seen (mostly on pre-Lollipop releases) are to use a custom launcher to hide non-approved apps. This custom launcher is sometimes referred to as a secure launcher, but hiding apps instead of suspending them as the device owner is much less effective. Secure launcher, IMO, is a misnomer.
I've just found an app that allows to disable Samsung apps without root, and in the background:
https://play.google.com/store/apps/details?id=com.hecorat.packagedisabler
And also this free one:
https://play.google.com/store/apps/details?id=com.ospolice.packagedisabler
How could this be? It doesn't even show a system-type alertDialog to ask the user if it's ok to disable the app. Did they find a flaw that allows doing so?
Is it only for Some Samsung apps? What about other apps and other companies? Is is possible there too?
Could the same mechanism be used for other operations? Like enabling apps?
I currently don't have a Samsung device, so I can't even check this app.
You can hide or unhide the apps provided you make your app as device owner with the api setApplicationHidden of DevicePolicyManager
Your app needs to be the device owner of the device. In order to become a device owner, you either need to do an NFC configuration or adb command shell. You can find a very well written blog by Florent here.
However, there is a new method of getting your application to become a device owner starting with Android Marshmallow. With a lot of limitations though. You have to be an EMM provider and your client has to have a google business or edu licensing for this to work.
There is no application on the google play store that allows your app to become device admin. As a device owner you have a lot of things you can control on the device and hence, I believe Google may not want to provide this kind of control without proper safeguards.
With regards to Samsung Devices, they provide their knox sdk as mentioned with other answers here which gives you access to certain APIs that are not allowed via stock Android.
I want to build an android service that uses the Device Administration Api (http://developer.android.com/guide/topics/admin/device-admin.html).
The problem is that i dont want the user to enable my service. I know that this is not possible for a regular application by i am cooperating with an oem so i am going to use a custom rom and my application can be a pre-installed system app.
So my final question is if a system app with the right permissions is able to use Device Administration Api without needing user activation of the app as device administrator. If this is possible can someone tell me how this is done? Please help me.
I have recently been reviewing Android's Device Administration API in order to find a way to protect a device from having certain apps forcefully stopped or uninstalled. I came across wipeData() as follows:
http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#wipeData(int)
What is the point of this if a user can simply wipe the data from the device's "Settings" menu? When I originally posted this question, I didn't realize that one effective use could be to remotely wipe a device. I get that, but what I'm specifically after is protecting certain features so that a user cannot access them outside of an app that has been granted policies that manager those features.
For example, on my particular device, I can choose System Settings->Backup & reset->Factory data reset and clear everything. A similar case can be made for many of the other options exposed by DevicePolicyManager.
When using the Device Administration API, is there a way to disable these built-in features so that only the app registered for the Device Administration API can perform them?
what I'm specifically after is protecting certain features so that a user cannot access them outside of an app that has been granted policies that manager those features
There is no meta device administration (i.e., the administration of device admins).
A similar case can be made for many of the other options exposed by DevicePolicyManager
The user has the ability to do nearly nothing offered by DevicePolicyManager.
For example, the user cannot block the camera from the lockscreen, nor can the user block app widgets from the lockscreen, which is why I had to write a utility to do that (as I didn't want to install a closed-source device admin from the Play Store).
Most of the methods on DevicePolicyManager revolve around password quality, and the user cannot set policies for his/her own passwords and have them be enforced.
And so on.
When using the Device Administration API, is there a way to disable these built-in features so that only the app registered for the Device Administration API can perform them?
By definition, only device admins can do device admin things. However, there is no way for one device admin to block another device admin. The only sort-of exception to this is in terms of the various password quality settings, where the strongest setting is applied.