I created an app that uses the SafetyNet Verify Apps API. The app is working without any error and in all the devices that I tested it, it said no harmful apps were found. I would like to know if what are the criteria for an app to pass the SafetyNet test. If I know that I will create an app that will fail the test to verify if the feature is working correctly. I tried to read through Google's documentation but I was unable to find anything in this matter.
Is there such an app? What feature must my app have to fail the SafetyNet test?
An app will fail the check if it is determined by Google to be "malicious".
Think of Verify Apps as something similar to an antivirus. It will catch what the developers define as a malicious app. The definition is opaque, and might change from app to app.
So if you want to see Verify Apps catching something, how about you get a test device with nothing important in it, or emulator, and then try finding some malware and install it into the device? Doing this may in the worst case, damage your device, so do it at your own risk.
Related
I have a flutter app that is designed to be placed as a fixed camera and based on what it sees give commands for IOT purposes.
To prevent it from sleeping, I am using a library called wakelock. (https://pub.dev/packages/wakelock)
Unfortunately, this doesn't prevent another issue, Google Prompts. When I log into my developer account on my laptop, the development phone is taken over by the prompt asking "Are you trying to sign in?"
I don't really want to have the solution be to log out of google on the phone, since the app is downloaded and updated via the play store.
I also don't want to disable 2F authentication, just don't want it to take over this developer phone, it's fine if it does so on my personal phone.
So a google settings solution, or a flutter code solution would be really helpful, have been able to find neither.
TLDR: I tried having the android phone as a 24/7 IOT camera with my flutter app, and was expecting it to stay on, but it was interrupted by the Google Prompt.
The easiest solution seem to me to set up a separate google account; this way the app could continue to be updated from the Play Store without being tied to your personal account, so you shouldn't receive 2fa prompts.
Another thing that might help is "Pinning" the app, which doesn't allow the app to be exited without authentication.
If neither of those work, a more advanced option could be to set up the phone with device management and use the lock task mode, but the work involved with setting that up is probably prohibitive for your use-case.
I am creating an iOS and Android App and I want to create a screen where the player can start with a guest account or can connect his account with our own accountsystem.
But my question is: Can I detect a user after the app was uninstalled and installed again?
I know that there is something like the vendor. But this will change.
I know that other apps also can do this.
With the user's permission- have them log into an account. Or provide you with their google of facebook account info. So far as hardware ids, those are discouraged and actively being removed to prevent people from the API to prevent this.
Also remember- that unless the user logs in with an account, you don't really know whether it is the same person. You could know its the same phone, but you don't know if he gave it to his kid sister to play on. Or sold it when he got a new one, and now you've given the new owner access to someone else's account. Also, if you rely on hardware ids you won't know its me when I buy a new phone and download it on that.
So yeah- either have him log in with a username and password, or use a 3rd party signon mechanism like Google or Facebook.
For iOS, there is a recommended approach to do that: by using the DeviceCheck framework. The idea here is that it allows you to persist 2 bits of data across app installations on each device. You can set the first bit to 1 if the user has already installed the app or 0 otherwise. And use the second bit, for example, to check if the user has signed in or not.
The official documentation is pretty good, please check it out.
The downside of this approach is that you will also have to do some work on the backend side.
UPDATE:
If you specifically want to detect the account, there is no reliable approach. One of the options is to use identifierForVendor or generate some kind of device fingerprint (for example, by combining the device model, timezone, locale, etc.), but of course, this will not work every time.
Uniquely identifying a device is a security leak, and all platforms are putting serious restrictions on unique persistent identifiers because of privacy concerns.
My company is letting an external provider manage its internal Android "app store" for it. For this, the provider wants a p12 and the APK.
My question is: would there still be an "emergency" way for us to disable an app?
I know that on iOS there is always the possibility of disabling a provisioning profile; is there something similar with this Android setup?
Thanks
If I understand correctly your question, you want to be able to disable your application remotely ?
If so, there is no built-in way to do it, with or without using the signing certificate. Even removing it from the Play Store would not prevent existing users to use it, since you can't uninstall an app for users.
The only solution I see would be to introduce a custom check when the app is launched, which would call a webservice and depending of the "status" returned, start a blocking behavior in your app. However, this requires network, and it's not a very good usability best practice, since your users could see their service interrupted without warning.
We run a web application with a Java Script- and an Android front end. We use Google IDs with OAuth for authentication. Everything worked find until today authenticaiton suddenly stopped working. There was no new software version deployed or any operational changes. Now, when a user tries to log on via the browser application, Google issues
401. That’s an error.
Error: disabled_client
The OAuth client was disabled.
Request Details
scope=openid profile email
response_type=code
redirect_uri=https://***.net/signin-google
state=***
client_id=******.apps.googleusercontent.com
That’s all we know.
When logging in via Android App, authentication fails too, GoogleAuthUtil.getToken raises an unspecific exception.
I couldn't find much information when googling for this error message. Some say, one should try to change the application name in the consent screen. This didn't help in my case.
In developer console I noticed, that I cannot create a new Client ID for this project. I always get a technical error ("Server Error Whoops! Our Bad.") with a tracking number. Seems to be related.
I have a total of 7 Client IDs registered for this project and 3 public API access keys.
Is it possible, that Google explicitly disabled our project? That's how it actually feels. For what reason? I didn't get any notification. Our product is an application for access control, nothing special or illegal here.
Any ideas? This is a production environment, so for us the problem is absolutely severe.
Thanks for any help!
In the meantime we found out, that our Android App was removed from the Play Store and we got following notification:
This is a notification that your application, <...>, with package ID <...>, has been removed from the Google Play Store.
REASON FOR REMOVAL: Violation of the Personal and Confidential Information provision of the Content Policy.Please refer to the policy help article for more information.
We don't allow unauthorized publishing or disclosure of people's private and confidential information, such as credit card numbers, government identification numbers, driver's and other license numbers, non-public contacts, or any other information that is not publicly accessible.
We are very careful about the data inside our application and we take privacy and security extremely seriously as the hole app is about security and our customer's trust is absolutely essential. However, we recently introduced a feature that periodically sends the LogCat output to our servers for debugging reasons. Our app is in an early preview state which we make clear in the app description. It's used by a very limited number of people as it can only be used with a special piece of hardware we provide. The LogCat output only contains data from the app itself, no confident data of any kind. We published a couple of related apps and not all have the feature even included but all were suspended. However, we guess that this feature is the reason for removing.
Edit
In the meantime we wrote an appeal via the form provided on Google Play. The ban was removed from Google Play and the related Google OAuth Client shortly after.
We were informed, that our App collects names of running tasks and sends them to our servers, which is not the case. However, we used the crittercism library and the crittercism docs suggest to require the "GET_TASKS" permission, what we did. I don't think, that Crittercism is considered as dangerous as it's used by lots of applications. But maybe the combination of a Logging Service on the one hand and the GET_TASKS permission on the other hand, although not dangerous in our case, triggered some automatic rules at Google.
To fix this we simply removed Crittercism and all related permission requirements as it wasn't very useful for us anyways.
I have a paid android application which uses the google LVL code to authenticate users.
A company would like to pay me so that their application can include a free version of my application. However, I'm not sure how to accomplish this in a way that won't result in an easily pirated version of my app. Below are some implementation options I am considering, but none of them seem like particularly good ideas. Any suggestions?
I deliver them an apk which does not use the LVL code. They could then package my apk with their app, and install it using the ACTION_VIEW intent. This seems like a bad idea because I think it wouldn't be particularly hard for some rouge user to extract my unsecured apk and distribute it.
Maybe I could build a version that checks to see if their app is installed, and if it is it queries their app for some sort of unlock code. And app will only run if this unlock code succeeds. My main concern about this is that I have no idea if "querying another app" for an unlock code is accomplishable.
This is definitely accomplishable. As already said one way to query the app is by using a content provider. If you are concerned about security you can introduce additional permission that both apps must hold to access the provider. Although since it doubtfull that both apps have the same signature it won't be as effective.
Another way would be if they had a service that you could bind to and request a code or any other authentication. In this case their service can as well validate your apps validity by querying your apps userId and checking a signature via PackageManager.
Sad news is it's alomost impossible to prevent pirating your app anyway. Even with LVL... Since all this can be decompiled and eventually broken. But at least you can make attackers life harder.
For what you are looking to do I would create a jar out of your project and mark it as a library project. That way you can give your application out to your client but they wont be able to see the actual code you have written. Using this method they will be able to call any method directly which would be easier than having to interact with an apk.