Security of an Android application - android

I am developing an Android application and I am planning to release this build in “Open Beta” on the Google Play Store.
I want to implement the app security logic which can ensure that the beta build won't work after certain date dd/MM/YYYY.
Currently, I can think of two approaches for this logic:
Retrieve current date from the device (using Android code to retrieve system’s time)
Issue: User can change the device date to hack the security system
Use time server to check the current date

Issue: My application don’t need internet connection and hence it will be bad user experience if I am asking for internet connection at the start of the app
I have following questions:
What alternate approaches (other then checking dates) can be used to ensure that the app won’t work after date dd/MM/YYYY?
How can I detect that the user has changed device date manually?
Other approaches to find current date even if device is offline?
EDIT:
The beta build has all the premium features free and hence I don't want beta build to work after date dd/MM/YYYY.
NEW QUESTION:
I have implemented the code to check the real date using time server at the start of the application. What possible hacks can be done by users to access app after the date dd/MM/YYYY?
Thank you in advance.

Agreed you don't wish the device to be dependent on the internet. At some point however, the device will be online (A human will never leave his/her device offline since the installation of your app). At that point you check the time stamp and proceed from there. You could disable the app or perform any action. Many apps exhibit this behavior to run an action when and only when the net is connected.
Other than the net and device clock the only other final solution you have is to run a background timer from the moment the app is installed. Good luck

The new Permissions model includes "Internet" as default (you don't need to request it specifically anymore).

If you don't want to use internet you can use following idea. Get current timestamp when running application first time and save it preferences or in external storage. check current time stamp with saved timestamp every time user launches application. please check for negative values to prevent user setting previous dates.

You can check the date, and at the time that the date exceeds the deadline, you can save a variable in preferences, so that when you enter the application, even if they change the date, the application will detect that date been exceeded.

Related

Can MDM restrict user to change date time settings

Through MDM policy prevent user to change the date time settings? Can Device date and time should be controlled from server ?
MDM protocol/Configuration profiles doesn't have such functionality.
Potentially, you can find some private API's which can help you with that. However, it's time consuming (to find such a thing) and you can't release such things to App Store.
MDM does not support such functionality as Ram mentioned. In case you need to know if the user has changed time then following can help.
Date and time change listener in Android?
Please register the broad cast receiver in static way.

Why does one app launch faster than the other?

I'm curious about this. I have an app called GoSMS PRO and an app called Contacts+ installed in my phone. They both popup an alert notification when a text message is received. However, GOSMS PRO always beats Contacts+'s popup. I was wondering how this was happening in a programming perspective? Is there a way to give a certain app more preference than the other.
From security and permission side every app from Google Play has similar privilege, if they are not signed by the certificate of device manufacturer. This also means that none of the app will get extra preference.
Some time app do many type of checking/initialization/loading before showing their UI and when this type of things happens apps take longer period to load or display UI.
Most common things people do
Creating and initializing database
Reading database.
User validation (reading file)
Device state scanning(network)
Most common case is database access. I wonder if the app reading Content Provider before showing UI it might take long time depending on your device hardware and number of contacts.
Key strategy would be showing the UI right way and load data in background. Android has lots of Asynchronous api, just to avoid this type of scenario.

Locking out user from Android application

I'm looking in to the capability of locking out a user from using my application further. Let's say your app will run for some time, and after some event (time expiration, # of app starts, etc.), you want to lock out the application, or brick the app in some way that it can't be used anymore
I've considered storing a piece of data either as an internal file, or as a shared preference value, that would track when the event is hit. The issue here I believe is that the user can go in to the OS and simpy clear the data, which would erase the progression to the lockout event.
Does the community have any suggestions of being able to lock out a user that can't be circumenvented, and doesn't require a rooted phone / unique ROM image? I am targeting Android 4.0+ if necessary, but currently have min SDK of 11, and target SDK of 15
I did this in an early beta by checking the date, then after the specific date, displaying a message saying it had expired and doing a divide by 0 error.
For a specific time after they have installed it, you will have to use an online service, or try and hide a file on the SD card (not guranteed to work at all).

programmatically temporarily disable auto-update

I have a Bike computer app that logs data while the user is riding. I have had a user report an issue I had not considered. He was out for a long ride (100+ miles) but while out and logging data the app got updated via Google plays auto-update. This unfortunately killed off the app mid recording and the user lost data till they spotted what had happened and restarted the app.
Ideally I would like to be able to programmatic stop the auto-update happening while the app is data logging. All my research indicates that this is not possible possible but I may of missed something so dose anyone know of a way of doing this?
Given no solution the best I can do is advice the users to enable the update only over wifi option in the Play app which in this instance would of helped. Unfortunately one of the key points about my app is that it will log indoor sessions using ANT+ sensors so I have a good number of people using it with wifi active.
Edit
I managed to do the experiment to see what happens myself last night. I had an app going in the background data logging then pushed a new version to Google Play. Unfortunatly it was not picked up totaly automaticaly when I had to leave 10 hours latter but I opened up the play store app and it found the update it did not start updating automaticaly but I forced it. The act of downloading and installing the new version killed off what was in progress. It was already dead before I used the notification to go to the new version.
As you say yourself, you can't do that what you are asking for. You could hack your way around it by changing the permissions each time you update. The users will then be prompted about it in the regular way.
I'm not sure about the "life-cycle" for automatic updated apps that are running. But I read somewhere that is wasn't the re-install but the reopen of the app that crashed it. If that is the case you could set a flag indicating that the user is currently logging and then on restart just resume the logging. But again we need to know more about the inner workings of activities/apps which are running and get an automatic update (actually didn't think it could happen).
Edit
Based on your findings I'd say you have to handle the app is shut down in onDestroy etc. or/and make sure you save everything persistently. Then you might need to have 2 apps where 1 listens to the other being re installed and when that happens it starts it up again (there is an interesting discussion here). If you are targeting api >= 12 then the broadcast action ACTION_MY_PACKAGE_REPLACED might also have interest.

How to prevent user changing system date/time (in Android)?

I have googled, but I can find no advice to prevent user change system date/time in android.
We are developing an Enterprise Application, we would like to prevent the user of the device to be able to set time settings. In other words, we want to set a policy which defines, that user cant change date and time in android device.
Are there any recommendations to do this?
Thanks.
Here is a third alternative that should significantly save on battery life:
Register a BroadCast Receiver for when the time gets changed by the user. Then disable the app until the device time is checked against network-time or server-time.
Those Broadcast Receivers exist. I just checked now with this app called Internal Broadcast Monitor I just found on Google Play.
Here is the interesting part below where I changed both the time and the date:
And below is the part where I changed the time zone:
.
Since there is no policy support for this in the device administrator framework, you can't. File a feature request, it might get added in a next version.
I don't know of any way that you can change the default behavior of the device.
You can however prevent your application from running if the system time differs from the network time. Or you could use the network time in your app instead of system time.
The answer to this post explains how to access the network time.
How can I get the "network" time, (from the "Automatic" setting called "Use network-provided values"), NOT the time on the phone?
you can save current time to db when application start and check every 1 minutes if current time not equal to db time+60 set system time to db time+60.

Categories

Resources