I have one strange problem with resetPassword on Samsung S4. I just want to CLEAR the password, but the result is I cannot login to my phone and has to do a factory reset before I can use it. The thing I did is listed below:
1: call DevicePolicyManager.ACTION_START_ENCRYPTION to start the storage encryption on the phone
2: accept the action and finish the storage encryption on the phone and set the password
3: clear the password in my app by calling DevicePolicyManager.resetPassword("")
after the above steps, I cannot login to the phone by the password I set and the screen is still locked to prompt the password, until I do the factory reset.
I tried to find out what the lock-screen password is after the resetPassword. and find out it is quite complex to get the password string from the hash stored in password.key and the salt. Maybe this is not the feasible way to solve that.
This only happened in my galaxy s4, any one has any idea about that?
After some investigation, I found that this problem is caused by clear password while the device is still in "encrypted" state. If I decrypt the device first and then the reset password works ok now.
So current work is find out: which API is used to decrypt the device?
Related
Environment:
Ejabberd Version : 16.04
Smack-android-4.1.0
I'm working on an Android chat application. Currently, same user credentials can be used login from multiple devices.
The current scenario is as follows:
1. User logs in into the app in device A
2. Using the same username and password, the user logs successfully into the app in device B
3. Now device A says, it is disconnected, but continue the chat in device B
However, according to the given requirement, it should behave like this:
1. User logs in into the app in device A
2. Using the same username and password, when the user tries to log in from device B, it should not allow it.
(Since he is already logged in from device A)
Would be glad to hear your solutions/ideas on this. Thanks in advance.
So I managed to resolve the problem using the option resource_conflict
According to Ejabberd Configuring Docs
The option resource_conflict defines the action when a client attempts
to login to an account with a resource that is already connected. The
option syntax is:
resource_conflict: setresource|closenew|closeold: The possible values
match exactly the three possibilities described in XMPP Core: section
7.7.2.2. The default value is closeold. If the client uses old Jabber Non-SASL authentication (XEP-0078), then this option is not respected,
and the action performed is closeold.
So open ejabberd.yml and add the following line to that file.
resource_conflict: closenew
Then restart the ejabberd server.
Now it will disallow the resource binding attempt of the newly connecting client and maintain the session of the currently connected client.
References:
https://www.rfc-editor.org/rfc/rfc6120#section-7.7.2.2
Read #rubycon's answer on this- https://stackoverflow.com/a/51860779/5361779
From XMPP spec:
"If there is already an active resource of the same name, the server MUST either (1) terminate the active resource and allow the newly-requested session, or (2) disallow the newly-requested session and maintain the active resource. Which of these the server does is up to the implementation, although it is RECOMMENDED to implement case #1."
More info here https://xmpp.org/rfcs/rfc3921.html#session
So your current scenario is a recommended one.
However, I have quickly checked for ejabberd src code and found it can be configured somehow (closeold -> closenew)
https://github.com/processone/ejabberd/blob/master/src/ejabberd_c2s.erl#L964
https://github.com/processone/ejabberd/blob/master/src/ejabberd_c2s.erl#L873
I'm not an Erlang specialist, but looks like it can be achieved by modifying the source code
If device B sets as resource one different than device A, both can be connected to the same account correctly. In your tests, device B sets the exact same resource than device A, and then ejabberd kicks the older session.
I see there's an option to limit the number of sessions an account can have active in the server. The problem is that it kicks the older session, but you would like to disallow the new login. See
https://docs.ejabberd.im/admin/configuration/#limiting-opened-sessions-with-acl
I have recently created an app which required certain security majors.
One of which is that we need to stop the dialog coming from Google when a user logs into the app.
The main thing is that password gets saved in google chrome.
When a user comes to app again it shows options for the user to autologin with usernames in a list and adds password automatically so anyone gets access to the phone can log into the app and can steal the data.
Currently, this issue is found in only one One Plus 5 device.
I want to stop this programmatically.
Any help would be appreciated,
Thanks
Update:
Thanks, Flyzzx, because of your reply I searched for android autofill and found out that it was introduced in Oreo to autofill data.
But when on the login screen it detects the username/password combo and prompts you for password save.
The solution to this is:
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
AutofillManager autofillManager = getSystemService(AutofillManager.class);
autofillManager.disableAutofillServices();
editText.setImportantForAutofill(View.IMPORTANT_FOR_AUTOFILL_NO);
}
Here, only autofillManager.disableAutofillServices(); is also sufficient but on some devices, you should also add editText.setImportantForAutofill(View.IMPORTANT_FOR_AUTOFILL_NO); this to work.
You have to do this for all edittexts which you don't want to get auto-filled.
Hope It will help others like me.
I had an idea for an android security app, but looking over the Device Administrator api documentation, I can't see if it's even possible. I want the app to be able to set the password used to unlock the phone. It would need to set the password without input or confirmation from the user.
Anyone know if it's even possible, and if so, is there any documentation for it?
Found what I was looking for, it can be done per
http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String, int)
public boolean resetPassword (String password, int flags)
Added in API level 8
Force a new device unlock password (the password needed to access the entire device, not for individual accounts) on the user. This takes effect immediately. The given password must be sufficient for the current password quality and length constraints as returned by getPasswordQuality(ComponentName) and getPasswordMinimumLength(ComponentName); if it does not meet these constraints, then it will be rejected and false returned. Note that the password may be a stronger quality (containing alphanumeric characters when the requested quality is only numeric), in which case the currently active quality will be increased to match.
The calling device admin must have requested USES_POLICY_RESET_PASSWORD to be able to call this method; if it has not, a security exception will be thrown.
Parameters
password The new password for the user.
flags May be 0 or RESET_PASSWORD_REQUIRE_ENTRY.
Returns
Returns true if the password was applied, or false if it is not acceptable for the current constraints.
I dont think it is possible at all, since every app runs in kind of a sandbox to forbid for example malware executing something like you mentioned.
Looking at this: http://developer.android.com/guide/topics/admin/device-admin.html
There seems to be a way for an app to ask for a password:
Set a password for the device
This code displays a user interface prompting the user to set a password:
Intent intent = new Intent(DevicePolicyManager.ACTION_SET_NEW_PASSWORD);
startActivity(intent);
However, I'm not sure you can do this from within the app, silently without any user input. Also, Device Administration apps does not seem to be a normal apps and seem to be intended for corporations/institutions.
I am interested in adding and setting up a hard-coded Google Account with a given username and password programmatically on the phone without any user intervention.
I have tried using
AccountsManager.addAccountExplicitly(newAccount("xxxxxx#gmail.com","com.google",password,null)
It works perfectly for all the accountsType except for the com.google accountsType throwing the "uid not matching authenticator
id" exception.
I have already followed all the suggestions given in this particular thread for fixing the error but of no use, the error persists for com.google accounts type
SecurityException: caller uid XXXX is different than the authenticator's uid
The other alternative approach I tried was using the samplesyncadapter code, it works perfectly fine, the authentication part is done in NetworkUtilities file which I believe need to be changed to Google accounts clientlogin
Is there anyway this can be performed directly without user intervention for captcha??
OK after few months, I managed to solve this issue. Might be helpful to someone.
The solution is not generic but quite specific to emulator/device LCD characteristic and ugly.
I used MonkeyRunner to issue touch, press and key events at specified screen coordinates to reach Home->Apps->Settings->Accounts and Sync->Add Account->Google->Next->Sign In and so on
More details about MonkeyRunner can be found here
http://developer.android.com/tools/help/monkeyrunner_concepts.html
I am having a problem connecting my android emulator to gmail. I cannot add my gmail account even though I can browse the web.
I go to the Accounts and Sync/add account/google/sign in, and put in my gmail address and password and then get the following message after a long wait -
"Can't establish a reliable data connection to the server"
I am going through a company proxy so I suspect this may be the problem. This also happens if I try the create new option.
Does anybody know what port needs to be open for this activity to occur, if indeed this is the problem?
Or if anybody has any alternative explanations I would be keen to hear them, as I am stumped.
I am running Android 2.2 with the google apis.
THE FOLLOWING SOLUTION DOES NOT WORK ANYMORE SINCE API 16 OR 17 (not sure of the number)
Click Add Account, EMail.
Enter your gmail address and password
Click on Manual Setup
Choose Exchange
For the Domain\Username enter \yourEmail#gmail.com (don't forget the backslash at start, and the #gmail.com at the end)
Server: m.google.com (not gmail.com)
Check use SSL (should be already checked)
Click Next, next, next
That's it !