I have a Samsumg Galaxy Tab 2 which runs Android 4.2 but Samsumg's rom removed multi user feature. So, as I can not test this feature, I´d like to ask some questions about it:
Is it possible create several users and set a different pin code (or pattern) for each one to unlock the screen (or for switching active user)?
When you store a personal certificate (.p12) in your device, if you dont have any security control activated (pin, pattern, whatever), Android enforces you to set it. Does it apply to all users?
An user can only use his imported certificates? or they will be available to any user?
My propouse is to have a tablet with multiple users. It should be secured in order one user can only access its account and he can only use its own personal certificate.
Thank you.
Yes It is possible to create different security lock for each user
Only owner (Primary user) can install the Certificates. Certificates are available to all users. Secondary users can not install certificates.
Hope This Helps!
Related
I am creating an iOS and Android App and I want to create a screen where the player can start with a guest account or can connect his account with our own accountsystem.
But my question is: Can I detect a user after the app was uninstalled and installed again?
I know that there is something like the vendor. But this will change.
I know that other apps also can do this.
With the user's permission- have them log into an account. Or provide you with their google of facebook account info. So far as hardware ids, those are discouraged and actively being removed to prevent people from the API to prevent this.
Also remember- that unless the user logs in with an account, you don't really know whether it is the same person. You could know its the same phone, but you don't know if he gave it to his kid sister to play on. Or sold it when he got a new one, and now you've given the new owner access to someone else's account. Also, if you rely on hardware ids you won't know its me when I buy a new phone and download it on that.
So yeah- either have him log in with a username and password, or use a 3rd party signon mechanism like Google or Facebook.
For iOS, there is a recommended approach to do that: by using the DeviceCheck framework. The idea here is that it allows you to persist 2 bits of data across app installations on each device. You can set the first bit to 1 if the user has already installed the app or 0 otherwise. And use the second bit, for example, to check if the user has signed in or not.
The official documentation is pretty good, please check it out.
The downside of this approach is that you will also have to do some work on the backend side.
UPDATE:
If you specifically want to detect the account, there is no reliable approach. One of the options is to use identifierForVendor or generate some kind of device fingerprint (for example, by combining the device model, timezone, locale, etc.), but of course, this will not work every time.
Uniquely identifying a device is a security leak, and all platforms are putting serious restrictions on unique persistent identifiers because of privacy concerns.
I'm implementing fingerprint authentication in an existing Android application making use of FingerprintManagerCompat. I used a tutorial as guidance that can be found here.
(android.support.v4.content.ContextCompat)
As FingerprintManagerCompat makes use of saved fingerprints on the mobile device, any fingerprint on the device can be used to login to the application.
Is it possible to see which one of the fingerprints on the device were used to unlock and if so is there a method to get all saved fingerprints that are available on the device?
I looked around for information on if this is possible and I cant seem to find anything. I have found that Samsung Pass SDK does have functionality to see what fingerprint is used but the product owner does not want the me to use Samsung's Pass SDK as his penetration testing team found that it is not very secure.
Is there a method to get all saved fingerprints that are available on the device?
No.
Is it possible to see which one of the fingerprints on the device were used to unlock
No.
However, there are some limitations to which fingerprints can be used to authenticate within your app. The result of a fingerprint authentication is that you make a cryptographic key available to perform some cryptographic operation (e.g. creating a digital signature). So when you add a user in your app you'd typically create a cryptographic key that you associate with that user. Then later on when the user wants to perform some action that requires him/her to be authenticated, you do the fingerprint authentication, which gives you access to the key, which use can use to do whatever it is that you need to do to verify that the user should be allowed to perform the action.
What happens when a new fingerprint is enrolled is that any existing cryptographic keys that require fingerprint authentication will be permanently invalidated.
That leaves us with the scenario where there are multiple enrolled fingerprint before the user is added in your app. I'm not aware of any way to do anything about this with the current APIs. So the best you can do might be to add some step in your fingerprint-enabling UI flow where the user is asked to verify that only they have enrolled a fingerprint on the device (e.g. by checking a checkbox or clicking a button).
Is is possible to make an android app non deletable.. What i mean is, I want to install a app, but I cant remove/ uninstall it. If I want to uninstall it then it should prompt me for password which I would have set during installation of the app.
When I read the docs they tell it can be done using Device Admin, but it doesnt provide security, interms of it doesn't ask the user for the password and deletes if its correct..
Is it possible to make an app such that even if there is a factory reset the app will still be there on the phone ?
Is is possible to make an android app non deletable
No, unless you want to create your own ROM and preload it with your app, just like some manufactures preload their devices with their own software and other bloatware.
No it is possible to restrict any user to delete the app from android device.
As google already maintaining this scenario by using the concept known as Device Management System.
Google Eyeing on apps which are published by the developer / installed or deleted by the user.
Although you can make your own app which will notify your admin that user is trying to delete the app or deleted the app, using Service Intent concept.
I have developed an android application and I want to distribute the application on tablet. This means my client will not require to download the apk as it comes with tablet.
This software is for training purpose i.e. video and other documents.
I don't want the apk to be extracted, in another words, I would like to bound the apk to run a specific device.
In summary, my aim is to deliver the apk with tablet device (and I want to avoid extraction of the apk).
Is this achievable?
If the user gains root access on the tablet, you cannot do anything to avoid this.
However without root access, if the apk comes shipped with the tablet, there is no way that someone can send it to other tablet/phones.
If you want to add further security, you can do a simple offline authentication, when the app starts.
eg
1) on first install, prompt user(who will be you, since you have to install the app before giving the tablet to an employee - right? if I understood correctly your problem) to give a user and a pass.
2) Then save credentials in phone(using preferences), and later on(step 3) match them with some hardcoded ones in your apps code.
3) Each time app starts, do a quick check of preferences credentials, and if it doesn't match, close the application.
While this isn't very good way of securing your app, you may come up with a more reliable solution. If tablets have internet access all the time, you can add a proper username/password authentication, but you have to create some sort of accounts to all of your users.
Did you know something about Signed-apk?? First of all create your account on play-store and get the keystore for your project. then create a signed-apk using keystore and password given.
I want to create a phone only account which will hold phone only contacts and use should not remove this account (except factory reset).
Is there any way,that can be specified either in account authenticator or sync adapter or via accountmanager such that this account will be non removable. any one of the following possibility is fine,
1). account will be present in the device but will not be available under configured account list in the account and sync settings
2). account will be available in the list but, remove option will be disbled (gone) for this account.
Thanks in advance,
AS
There are good reasons why one would want such a thing. For instance, being able to keep the phone with 2 separate accounts: One for your data, one for phone management.
This way, if your phone gets stolen you can remotely control it via the phone management account while removing the data account.
Some Apps do allow you to remotely control your phone yet:
1) If you use only one account then once you change the password to protect your data you won´t be able to do thins like uninstalling apps remotely.
2) The thief being able to modify the accounts, there will be no way to avoid the management account to be removed.
3) The management account should be, preferably, hidden from the list of accounts so the thief doesn´t even suspect it´s there.
Going firmware makes sense, as it has been mentioned. I wonder if it´s that hard to implement. May post about it on XDA.
Cheers,
Jean
Sorry, but nothing you want in your list is possible, without firmware modifications.