In the FinTech area there is a lot of talk about the use of Trusted Execution Environment (TEE). I know that on both iOS and Android it is possible to use some key store API's to generate keys and use them for signing/decrypting. But the code oneself writes is running as a normal app.
My question is, is this the only available use of TEE? Or is it possible for a normal application developer (i.e. one who isn't the manufacturer of the handset etc.) to write an app where the code in the app itself runs in the TEE? I have not been able to find documentation with Google or with Apple that describes how this would be done. Is there special API's available?
There are different TEEs out there on different devices. OP-TEE, Trusty TEE, QSEE, TLK, Kinibi (previously t-base, previously mobicore), etc.
From what I know, only Kinibi (since mobicore) allows for app developers to develop/deploy Trusted Applications along with the normal app (without the need for an OEM to sign).
At least with Global Platform standard APIs, your TA may be source compatible across TEEs..
As M. Chang pointed, according to source.android.com it's not possible right now. So, I believe the answer for you question is no. Normal application developer can't write this kind of app.
Third-party application development is not supported in this version
of Trusty.
Hopefully it will change.
Important: Trusty and the Trusty API are subject to change.
Related
I am creating a personal application that can locally manage/control an android device. In particular, I want to be able to do things such as lock down the device, enforce password policies, and wipe the device according to the local state of the device. I have reviewed a number of possible ways of doing this, but that is where I run into trouble.
According to this documentation, DeviceAdmin is essentially deprecated (i.e. the device must be Managed or have Managed Profile to access most of the DeviceAdmin API).
According to this documentation, creating a custom Device Policy Controller (DPC) is essentially deprecated. Side note: from context I am assuming a DPC is essentially a DeviceAdmin with a Managed device/profile but I can't find anywhere that explicitly states that (please correct me if I am wrong).
And finally I'm lead to the Android Management API, which at first seems to be what I want. Until I go through the quickstart and find out that I have to create a server and manage the device through a client-server relationship. As a reminder, I am looking for a way to locally manage the device. Now there are release notes indicating that local management may be coming in the future, but that is not now.
So here is my question: is there a currently supported way to locally manage a device?
I am aware of a developer hack that can set an application as a device owner. And while this may be able to work for my personal use, that seems like a pretty big hole in terms of enterprise management.
It is correct that, as of today, Android Enterprise has no way to manage a device locally. There is an open feature request to add support for the local execution of commands as part of our push for extensibility integration with the AMAPI SDK. But as mentioned, it is not currently supported.
Despite Android Enterprise no longer accepting new registrations/validations for custom device policy controllers (DPCs), developers can still build a device policy controller to lock down a device, enforce password policies, and wipe the device according to the local device state. You can still build one and deploy it to your device with a QR or NFC. That said, it's important to note that the DPC would NOT be able to use the Play EMM APIs (so, no app management via the Play Store). This limitation may disqualify the solution for you.
I get this question when I was looking in any banking,
payment-related apps show a specific icon that indicates a secure environment.
I search on google but I didn't find anything on there.
please check the below screenshot to better understand.
I come across similar question as well, there is no much information about this, firstly I saw this in Samsung S-pay website saying:
A Secure Environment is a physically segregated chip in the phone
which only allows access to highly sensitive operations/information
such as fingerprint and payment information. Normal applications and
malware have no access to the information in a Secure Environment.
If you search more with the keyword Trusted Execution Environment, then you can realize it is a security standard specified in mobile environment. Like this.
So when your Android code are being executed in Trusted Execution Environment, then the "Secure Environment" sign will appear in the app bar to inform you that you are in secure transaction. As per my observation, it is mostly appear when we are using our fingerprint, that actually make sense as accessing fingerprint (or pin) require higher security standard.
As Google says here https://developer.android.com/work/guide.html
As an Android developer, you can deploy devices and apps to employees
and keep your corporate data secure.
And also here https://developer.android.com/work/index.html
Android in the Enterprise Develop apps for the enterprise that take
advantage of the security and management features built into Android.
But this set of webpages does not provide detailed step by step explanation whaht is ENTERPRISE PROFILE CONFIGURATION and HOW TO USE IT?
Let's say I need to install couple of enterprise applications and prevent them to be uninstalled via enterprose profile for instance.
Is it possible to do?
After 3 hours of investigation I found only one light and elegant way to archive my goal.
CUSTOM ANDROID LAUNCHER DEVELOPMENT
This custom launcher could contains
One screen only with predefined icons.
No icons to see all apps or settings.
Button to add/remove apps to main screen which is protected by internal launcher password (Only admin knows password or it can be
server-side AUTH).
So employers take this preconfigured smartphone and do what they must according their work task while are restricted by launcher possibilities. Also they cannot uninstall it at all.
Do they share the code base and version number?
Does Google release the same piece of code for both and just use different flags for mobile phones and Android Things?
This may be a strange question, as I am particularly interested in Android Application Framework.
Do they share the code base and version number?
From an Android application developers's view point there is not much difference between Android OS and Android Things. I.e. you can successfully deploy an Android app developed for Android (OS version 7+) on a platform running Android Things.
Does Google release the same piece of code for both and just use different flags for mobile phones and Android Things?
No "flags" at all. It's rather a matter of adding new system (C/C++/Java) services specific to the supported platforms with its underlying hardware or removing the old ones, needed for mobile devices and not related to embedded systems. Actually Android Things is pretty much an inheritor of Brillo.
As a quick look consider the following overview of Android Things OS to see how it differs from Android.
With regards to the Android Application Framework, you can expect the vast majority of APIs to be the same on Android phones and Android Things. Specifically, this page details the APIs that are not available:
CalendarContract
ContactsContract
DocumentsContract
DownloadManager
MediaStore
Settings
Telephony
UserDictionary
VoicemailContract
Additionally, a few Google Play Service APIs are not available.
In terms of whether Google releases "the same piece of code for both" the answer is a bit complicated. Android's framework is a combination of a lot of files, some of which only make sense for specific form factors. Different build configurations state what files to include, which to not include, and how exactly to build the correct system image.
(Sorry for my english)
I'm new using Android (in fact, I'm just testing android) and I have a lot of questions...
Well, let me explain you the situation. In this moment, in my job, I am writing my code with C# and run it on Windows Mobile 6, the apps are used to make sales, send bills, reserves, etc. The devices (iPAQ 216) are given to the salesmen, and they must use the apps and update them via internet.
Each salesman have a unique client list, unique data and (in some cases) an unique set of apps, which means that I need to prepare a different package for each salesman. Using a Microsoft tool (cabwiz) I can prepare automaticaly a different package for each one of the 150 salesmen. They download their specific package using a tool wirtten by me, and install it and everyone is very happy (maybe)...
Is that possible in Android? How? and if it is not possible, do you know an idea how to accomplish somewhat like that...?
It's not going to be as easy as cabwiz, I can tell you that. But it would be possible, theoretically, to write a script that modifies/generates the unique portions of the source and then compiles a new copy for each user.
If the only difference between the apps is the data on them, then there is no need to generate a different package for each user: have the app download the data from your server and save it after the app is installed. You could also make some modules (I can only guess what kind of functionality you're talking about with regards to different apps per user) only accessible to particular users.
Yes, it's possible however:
You may want to look into writing in java rather than C# as that's more officially supported on android
There are some limitations of the android APIs, in particular there are basic behaviors of the device that can't be altered - without rooting there's no equivalent to the "hook" functionality of windows.
Make sure you get devices with the menu option to enable installation of applications from 'unknown sources'; otherwise deployment will be a lot more difficult. At that moment, this amounts to avoiding AT&T, as their devices presently confine you to the android market or physical connection to a machine running the developer tools as distribution channels. (As a work around you can upload your apps to the market and not publish them, though that won't fully keep them private unless you also include something to require authorization when they run. You could also install the minimal set of dev tools on the salesmens' laptops)
You will probably want to learn about the command-line application build tools and scripting in order to generate a custom apk for each salesman. Once the devices are set to allow unknown sources, you should be able to email the salesman the apk (or a link to it) as an attachment. You should also be able to make the custom apk refuse to run except on a device matching some fingerprint data you've previously collected. While you can develop for android under windows, you may want to look into switching to linux in order to make some of this scripting a little more natively elegant.