I'm writing a system app for android devices that we supply to customers. We control the firmware and can add apps to the android image, including into the priv-app folder.
One of the requirements for our app is that it is able to reset our device's password. In order for a 'normal' app to do this, android requires that the app is set up as a device administrator.
Is there any way to pre-configure our app as a device administrator for our firmware, or an alternative way of setting a device password specifically for system apps?
A device admin application may set itself as admin using the hidden DevicePolicyManager.setActiveAdmin method. To do this, however, the application needs the android.Manifest.permission.MANAGE_DEVICE_ADMINS permission which requires platform signing.
System permissions by placing this application in /system/priv-app is not required - the permission is of type "signature".
I assume the platform signing is necessary since otherwise, the user must first accept the device admin setting policies.
Once admin, the application may set any policies including setting the password using DevicePolicyManager.resetPassword method.
Hope this helps.
/Marek Pola, Sony Mobile.
Related
I'm a new Android developer and trying to make a package manager app. I have listed all installed apps, and now I want to uninstall the particular app without user interaction. Is it possible with unrooted phones?
The PackageManager class contains a #hide method : deletePackage. BUT you can't use it because :
It's an hidden method, therefore the only way to call it in a normal App is to use reflection (it is not recommended because it may break in future version of the Android API)
Usage of this method requires the permission android.Manifest.permission#DELETE_PACKAGES and this permission can only be granted to apps signed with the system key. (i.e. even if you ask this permission in your manifest it won't be granted unless your app is signed with the system key)
So you can't do it in a simple/standard app. Your only solution (on a non-rooted phone) is to sign your app with the system key and to do so you need to negotiate with the manufacturer so that your app get signed with their system key.
I developed one parent and child communication Android application in which I wanted to restrict the child from uninstalling application. I have one solution that uses DevicePolicyManager. But still the application can be uninstalled without asking for password. If I remove the Device Administrator permission from the settings, then application is uninstalled from device?
Can anyone provide the valid solution for this cause?
You cannot prevent a user from uninstalling an app, from within the app code itself.
There is suggestions here How to prevent an application from being uninstalled?, but they are not foolproof.
The way around this is to use an android device with lollipop and upwards, so you can create a user account.
On the admin account, install an app that requires a password to uninstall apps. They are on the market (and free) I've used them. Or write one yourself.
Then on the child's account allow them whatever privileges you want them to have. They will be unable to touch the apps and uninstall them, unless on the admin account and with the password required for that app to uninstall other apps.
I have tried and tested this and it works.
I want to make my Android application such that only eligible/allowed users can install or use it.
Like: to set device IMEI of allowed devices in manifest. Or something/anything like this? Or to ask for a device's specific code which should be entered to use the application?
Is it "safe" to install Android Device Administration applications on my personal device?
Can my company read my private data with that application?
My company recently adopted a policy to install an enterprise application on each employee's smartphone. The application should be installed from 3rd party market that is operated by the comapny, and requires Device Administration privilege.
Even though the application does not require 'root' privilege, and Device Administration API is not related to reading data inside the phone, I'm still not sure that my personal data is safe to my company.
FYI, the API includes changing password, wipe out data, disable camera, and so on.
(link)
As you have mentioned yourself Device Administration API does not relate to phone data per se. The permissions given with this permission are as follows:
USES_ENCRYPTED_STORAGE A type of policy that this device admin can use: require encryption of stored data.
USES_POLICY_DISABLE_CAMERA A type of policy that this device admin can use: disables use of all device cameras.
USES_POLICY_EXPIRE_PASSWORD A type of policy that this device admin can use: force the user to change their password after an administrator-defined time limit.
USES_POLICY_FORCE_LOCK A type of policy that this device admin can use: able to force the device to lock vialockNow() or limit the maximum lock timeout for the device via setMaximumTimeToLock(ComponentName, long).
USES_POLICY_LIMIT_PASSWORD A type of policy that this device admin can use: limit the passwords that the user can select, via setPasswordQuality(ComponentName, int) and setPasswordMinimumLength(ComponentName, int).
USES_POLICY_RESET_PASSWORD A type of policy that this device admin can use: able to reset the user's password via resetPassword(String, int).
USES_POLICY_WATCH_LOGIN A type of policy that this device admin can use: able to watch login attempts from the user, via ACTION_PASSWORD_FAILED, ACTION_PASSWORD_SUCCEEDED, and getCurrentFailedPasswordAttempts().
USES_POLICY_WIPE_DATA - A type of policy that this device admin can use: able to factory reset the device, erasing all of the user's data, via wipeData(int).
The one's which would probably relate explicitly to "privacy" would probably be the ability to monitor, how many failed password attempts has been made, when correct password has been entered and minimum safe password. Other than that it does not make it any more privacy worrying than any other app.
That being said, this in no way makes this app "safe" to install. Some permissions you should be checking would be all the READ_ permissions. http://developer.android.com/reference/android/Manifest.permission.html .
These will give the app direct access to alot of personal information, such as when calls are made who it is made to, what sms's your receive and send. Also READ_EXTERNAL_STORAGE is another big one. It allows apps to read ANY data on external storage which may often contain personal data, i.e. Downloaded images, Screenshots etc, as well as even App data of poorly coded apps (where there are MANY on the market which just leave credentials in clear text on your SDCard).
The RECEIVE_ permissions likewise are able to intercept incoming messages/calls/mms etc.
USE_CREDENTIALS is obviously a privacy risk as well, as it can use tokens that you possess to request data from external API sources (i.e. your Gmail)
Also there are many permissions which don't even need permissions. For example getPackageManager() allows apps to find out a entire list of app the apps you've got downloaded. So they know that you have angry birds or any other naughty apps installed ;)
What I'm trying to say is, this permission itself isn't a massive red light on privacy. But the fact they are installing an App (unless open sourced and MD5 verified) there are many other ways to access "private" information already. Not installing an app will always provide more protection than installing one. Hope that helps.
I want to write tests for an application that uses the android device administration API . My problem is that the user needs to manually grant one-time approval for the application to have admin rights, otherwise a SecurityException is thrown at runtime.
a user can manually enable/disable admin rights for applications by going to settings->location & security -> select device administators. I would like to do it programmatically from within an AndroidTestCase.
I did not find a way to grant admin automatically.
Luckily, however, the AVD remembers that the application was granted admin and does not revoke it after installing a later version of the same app. Thus, after a manual one-time process of enabling admin on the emulator I can run all my tests that require admin, as long as i don't switch to another AVD.