I am planning to develop an Android app that communicates with a server that I operate. Answers to android, httpurlconnection error state that classes such as HttpURLConnection and HttpsURLConnection require granting the "full network access" permission (android.permission.INTERNET) to the app. Someone on a forum told me that for the vast majority of apps, android.permission.INTERNET is unacceptably intrusive on the user's privacy, and that there exist other ways for an app to communicate with a server operated by its developer that do not require such an intrusive permission. From this post:
And the same app will ask for full network access, even though if you look at the traffic, almost all of them are using HTTP to talk to their services, and they have no legit need for full network access. However, it lets them look at what all your network connections are.
[...]
Also, no, you don't need "full network access" to access anything outside a web browser. You only need it to go off port 80 HTTP. You can still just use a subdomain for the remote app API. You're conflating two different permissions.
When I asked for further clarification on how to get this going in Android, so that I could go look it up on developer.android.com, the reply was "your ignorance doesn't demonstrate anything."
So how should an app communicate with a server operated by its developer without android.permission.INTERNET? Or is there a reliable source stating that this is impossible in Android?
that there exist other ways for an app to communicate with a server operated by its developer that do not require such an intrusive permission
Not really.
As far as I can tell from the rant that you linked to, the ranter is complaining that there is no IP- or host-level whitelisting possible in Android's permission system. INTERNET grants access to the whole Internet. This is a valid complaint about the OS, but there is nothing that an app developer can really do about it. Users can, to the extent that they are willing to install firewall-type apps (either pseudo-VPNs or true firewalls, the latter requiring root). ROM modders can. Google could. Device manufacturers could. App developers cannot.
I mean, in theory, the app could speak to the server using Bluetooth (with limited range) or NFC (with really limited range), but those are generally deemed impractical.
With regards to the ranter's claim that "you don't need "full network access" to access anything outside a web browser. You only need it to go off port 80 HTTP", that is fairly ridiculous. For example, resolving a domain name requires you "go off port 80 HTTP", and that definitely fails sans INTERNET permission.
I don't have a sample app that I can try that would work with a plain IP address, so I cannot absolutely validate right now that accessing a plain IP address on port 80 could work without INTERNET. If that proves true, that's a security flaw in Android that would need to be fixed, and I'll be very surprised if this is the case.
Or is there a reliable source stating that this is impossible in Android?
I'll state that there is no practical way for an Android app to talk to a server, outside of perhaps localhost, that does not involve the INTERNET permission.
Whether a source is reliable is a statement of opinion. I'll put my track record up against any random Slashdot poster, though.
Have a look at the apps on your Android device. The overwhelming majority of them will use the INTERNET permission. What makes them useful is their ability to talk to various web services of varying types.
Users are accustomed to agreeing to this permission when installing apps and won't be put off your app if it asks for it.
Related
Sadly I know little to nothing about mobile app development and I am tasked with thinking through privacy considerations a user could have when using a mobile website vs its app equivalent.
For example, when a user browses our mobile website we can collect the following data:
IP
User agent
OS information returned from Javascript, including screen resolution
Cookies from the domain
Of course, this list isn't exhaustive.
So what can easily be collected from a user of a mobile app? (assuming no extra permissions were enabled)
IP
What's the equivalent of a user agent?
What OS/device info is available?
Do apps have "cookies"?
What else?
APMK, we can Collect the below data
Device location.
Device Name.
Device Version.
OS (Android/iOS/Windows)
Cooikes if we are using webview ..etc
I think your question requires more clarifications and answer to the following questions:
Do you have access to the source code ? If yes, you can track basically anything that's in the app using 3rd party tracking services like Google Analytics or other similar stuffs (even your own implementation). If not, do you have access to the API that's used by the application ? If yes, you can probably detect the OS since almost all request have a User-Agent attached to them, platform specific, but from the API requests you can't have much info.
I think the problem should be put the other way around, what do you want to track from a mobile app ? And I can tell you from my experience that there's almost nothing that can't be tracked from mobile apps if you have access to the source code. Regarding the permissions, off-course you won't be able to access something for which you didn't request any permissions, but you can check if the permission is granted anyway (maybe some other part of your app requested those permissions).
Also just a reminder, if you develop apps for EU, make sure you're GDPR compliant, the sanctions can be quite huge for a non-GDPR compliant app.
Yes there is an App where you can find all the info of the Particular info https://play.google.com/store/apps/details?id=com.quixom.deviceinfo
Check it out
I am trying to create an android application for mobile device management.
I want to deny the internet access of a particular 'xyz' network to smart phone users unless they have my certain android application installed on their smart phones. Only those users, who have the application installed on their device should be able to access my 'xyz' network. What should I look into to achieve this? I am not sure what to google to find an answer. :)
If this is about security, it sounds like this would only secure the network from Android users and leave a gaping security hole for any other device. Or are you looking for an alternative to protecting WiFi with the standard clickwrap agreement before you can use the internet? Maybe it would help if you clarify your use of the term 'network'. The only other use I can think of is malware, so please clarify.
I suggest using standard internet security protocols for logging in - a password on a site secured with SSL, which the browser can remember. If it's specialty content, access it directly through the app where enhanced security can be handled automatically.
I have question about mobile visitors. What information can a website administrator get from mobile user?
For example: when I visit www.site.com from my phone device (I use mobile internet, not WiFi)
what they will know about me? Can they can get my mobile number, imei code, or mobile device information?
This is kind of a broad question, but I will try to explain briefly the general concept.
First of all it's fundamental to understand what a connection is, and what a protocol is.
A protocol, briefly said, is a way the two objects communicate in. I would recommend you to watch this playlist.
https://www.youtube.com/playlist?list=PL6gx4Cwl9DGBpuvPW0aHa7mKdn_k9SPKO
Now about the connection. The connection by itself involves all the path from you/your device to the server you need to communicate with, and thus, summarising these two, we can make a basic conclusion. The server can gets your IP address, which is due to the connection concept, and also info about what program exactly do you use, because of the protocol. The protocol may require your program to send lot's of information from it, but if we are talking about web browsers, they do not share the users private information for privacy and security reasons.
That's it, I hope I could help you somehow.
a customer ordered us a tablet application, but they need a lot of access restriction to lock device functions such as:
Permit datas transfer only inside the application not outside
Restricted user access on the device (something close to admin and normal user permissions)
A framework/API that permit to create an internal mail reader/sender
Public API of iOS makes impossible to fulfill those requirements. I was wondering if Android makes life easier when there are those kind of restriction.
UPDATE: To make understand better the field of use. I'm talking about an application that "force" the device to be used just only with that application for an Enterprise use. The app is just like a CRM but the device should be blocked in some functions to make users only work with them and NOT playing or use facebook, market etc.
Not sure you can achiev all of those, but you should look into the device policy for android here and here.
1) Not sure what you mean by point 1. If you mean controlling all data transfer from the device, you might be a in a bind considering the only way to get a firewall running on android is by rooting the device. Perhaps you could look into writing a custom launcher/home like KidZone that only shows approved apps? - Not nearly as secure, though.
2) Honeycomb, so far, doesn't have multi-user support - though you can have multiple google accounts registered. The custom launcher could help in this regard though.
3) I don't see the point of doing this unless they already have a custom mail infrastructure in place. Otherwise just go with exchange.
Permit datas transfer only inside the application not outside
Do not request the INTERNET permission.
Restricted user access on the device (something close to admin and normal user permissions)
You would have to implement this yourself.
A framework/API that permit to create an internal mail reader/sender
I have no idea what this means.
I'm writing an Android app that communicates via HTTPS with a server application. On the server side, I have to be absolutely sure about the Android app's integrity. This means that the server app needs to be sure that it's communicating with the Android app that I developed and not with a re-written one (e.g. after decompiling the original app or after having rooted the device).
Is there a possibility to ensure that? Maybe there is a possibility with the signature of the apk file?
Any hint is appreciated.
Regards,
Peter
You are trying to address a known problem:
You can never trust an application on an open device (mobile phone, desktop computer). In order to trust it, it should be tamper proof. An example of such device is a SmartCard. Mobile devices are certainly not it.
You should never send data to device that user is not supposed to see. The implication of this is that all business logic must be done on the server.
All requests to the server should be authenticated with user's credentials (username/password) and made via a secure protocol (HTTPS/SSL).
No way. Whatever is in user's hands, is not yours anymore. Even if you somehow manage to transfer the APK to the server for validation, nothing prevents the hacked program send an original copy to the server.
In order to validate that your software is running, the client devices need to be able to provide remote attestation services, which is one of many piles of acronyms in the TPM world. I found that someone has been working on providing TPM services, including IBM's IMA, which is almost good enough for what you want.
Details here: http://www.vogue-project.de/cms/upload/vogueSoftware/Manual.pdf (Google Quickview).
Of course, this is emulating the TPM, and requires patching the Android kernel. But perhaps one of the various manufacturers would be willing to build a model with the TPM hardware included for you?