I had an idea for an android security app, but looking over the Device Administrator api documentation, I can't see if it's even possible. I want the app to be able to set the password used to unlock the phone. It would need to set the password without input or confirmation from the user.
Anyone know if it's even possible, and if so, is there any documentation for it?
Found what I was looking for, it can be done per
http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String, int)
public boolean resetPassword (String password, int flags)
Added in API level 8
Force a new device unlock password (the password needed to access the entire device, not for individual accounts) on the user. This takes effect immediately. The given password must be sufficient for the current password quality and length constraints as returned by getPasswordQuality(ComponentName) and getPasswordMinimumLength(ComponentName); if it does not meet these constraints, then it will be rejected and false returned. Note that the password may be a stronger quality (containing alphanumeric characters when the requested quality is only numeric), in which case the currently active quality will be increased to match.
The calling device admin must have requested USES_POLICY_RESET_PASSWORD to be able to call this method; if it has not, a security exception will be thrown.
Parameters
password The new password for the user.
flags May be 0 or RESET_PASSWORD_REQUIRE_ENTRY.
Returns
Returns true if the password was applied, or false if it is not acceptable for the current constraints.
I dont think it is possible at all, since every app runs in kind of a sandbox to forbid for example malware executing something like you mentioned.
Looking at this: http://developer.android.com/guide/topics/admin/device-admin.html
There seems to be a way for an app to ask for a password:
Set a password for the device
This code displays a user interface prompting the user to set a password:
Intent intent = new Intent(DevicePolicyManager.ACTION_SET_NEW_PASSWORD);
startActivity(intent);
However, I'm not sure you can do this from within the app, silently without any user input. Also, Device Administration apps does not seem to be a normal apps and seem to be intended for corporations/institutions.
Related
Sorry for the ambiguity in the question but it is actually quite a simple one.
When my android Application boots up I initialize AppCenter as follows:
AppCenter.start(
this, BuildConfig.APP_CENTER_SECRET,
Analytics::class.java, Crashes::class.java, Distribute::class.java
)
if(BuildConfig.FLAVOR != ApplicationVariants.ProductFlavors.PRODUCTION){
AppCenter.setLogLevel(Log.VERBOSE)
}
AppCenter.setUserId(UUID.randomUUID().toString())
Distribute.setUpdateTrack(UpdateTrack.PUBLIC)
Distribute.checkForUpdate()
However, when the user logs into the application I would like to set the UserId to the users email as follows once the user logs in:
JwtUtils.getIdentityTokenModel(requireContext())?.let {
AppCenter.setUserId(it.email)
}
Lastly when the user logs out I reset the user Id to a random guid. The reason for this is visibility on which user has which crash logs. This is a requirement from business.
However, in the app center crash logs, it seems the UserId never changes to the email even if an error occurs while the user is logged in.
My question is simple. Is there a restriction on how many times I am allowed to change the AppCenter User Id? I cannot seem to find it anywhere in the docs.
Thanks in advance
Please see these docs about userId API:
The value for the user ID is limited to 256 characters. It will be
shown with your crash reports but not used for aggregation or counts
of affected users. In case you set user ID multiple times, only the
last user ID will be used. You need to set the user ID yourself before
each application launch, because this value isn't stored by the SDK
between launches.
I have one strange problem with resetPassword on Samsung S4. I just want to CLEAR the password, but the result is I cannot login to my phone and has to do a factory reset before I can use it. The thing I did is listed below:
1: call DevicePolicyManager.ACTION_START_ENCRYPTION to start the storage encryption on the phone
2: accept the action and finish the storage encryption on the phone and set the password
3: clear the password in my app by calling DevicePolicyManager.resetPassword("")
after the above steps, I cannot login to the phone by the password I set and the screen is still locked to prompt the password, until I do the factory reset.
I tried to find out what the lock-screen password is after the resetPassword. and find out it is quite complex to get the password string from the hash stored in password.key and the salt. Maybe this is not the feasible way to solve that.
This only happened in my galaxy s4, any one has any idea about that?
After some investigation, I found that this problem is caused by clear password while the device is still in "encrypted" state. If I decrypt the device first and then the reset password works ok now.
So current work is find out: which API is used to decrypt the device?
I am trying to verify user by sending sms through twilio (Android Application).
Here is the Detailed summary-
(As in Snapchat)
During signup i want to validate user by sending dynamic run-time code to user mobile.
and after sending i have the verification field.
so what should i do ?
Twilio employee here.
This is a really common use case for Twilio and plenty of apps do the "phone number verification" thing you're looking for.
Let me boil down the steps on how to do this in human form, as this is much easier to explain than writing a bunch of code:
A user will type their phone number into a field to be verified.
When the user has typed in their number, you can compute a unique code (4 - 6 digits is all you need) however you like, and then use our REST API to send the number they entered the code.
At this point, you should save the unique code so you can reference it later.
Prompt the user to enter the code into a field within your app.
Compare the entered code to unique number you stored them and viola!
If the code is the same: you know that they own the phone number that you sent the message to. A very similar process is described in this 2-factor authentication how-to.
I hope that makes sense.
If you have any questions, please ask.
Disclaimer: I'm the maintainer of Django-phone-verify
While phait's answer is apt. People had asked in comments of the relevant apps with which they could accomplish user verification. Most of this is from my previous answer at https://stackoverflow.com/a/57461296/3535547 I'm just pasting an updated answer in this thread so that it is easier for users to find it.
What you're looking to accomplish is very easy with django-phone-verify app. It comes with Twilio and Nexmo already integrated and few endpoints which you can extend as per your use case.
This package aims at verifying if a phone number requested by a particular client belongs to them. It also takes care of ensuring that the same device provides the verification of passcode which initially requested a passcode to be sent, saving you a few hours of work.
This package also doesn't mess up with your current user model at all. You're free to use this package exactly for one thing: verifying phone numbers. Whether you do it for users, companies etc. depends on your use-case.
It follows Unix philosophy of Do one thing; do it well
Installation
pip install django-phone-verify
Configuration
Add app to INSTALLED_APPS:
# In settings.py:
INSTALLED_APPS = [
...
'phone_verify',
]
Add settings in your settings.py file:
# Settings for phone_verify
PHONE_VERIFICATION = {
'BACKEND': 'phone_verify.backends.twilio.TwilioBackend',
'TWILIO_SANDBOX_TOKEN':'123456',
'OPTIONS': {
'SID': 'fake',
'SECRET': 'fake',
'FROM': '+14755292729'
},
'TOKEN_LENGTH': 6,
'MESSAGE': 'Welcome to {app}! Please use security code {otp} to proceed.',
'APP_NAME': 'Phone Verify',
'OTP_EXPIRATION_TIME': 3600 # In seconds only
}
Migrate the database:
python manage.py migrate
You get two endpoints (Check API docs), one for registration of phone number and other to verify the passcode. You may override verify endpoint to also create a user as described in the usage docs: https://github.com/CuriousLearner/django-phone-verify/blob/master/docs/usage.rst
I am interested in adding and setting up a hard-coded Google Account with a given username and password programmatically on the phone without any user intervention.
I have tried using
AccountsManager.addAccountExplicitly(newAccount("xxxxxx#gmail.com","com.google",password,null)
It works perfectly for all the accountsType except for the com.google accountsType throwing the "uid not matching authenticator
id" exception.
I have already followed all the suggestions given in this particular thread for fixing the error but of no use, the error persists for com.google accounts type
SecurityException: caller uid XXXX is different than the authenticator's uid
The other alternative approach I tried was using the samplesyncadapter code, it works perfectly fine, the authentication part is done in NetworkUtilities file which I believe need to be changed to Google accounts clientlogin
Is there anyway this can be performed directly without user intervention for captcha??
OK after few months, I managed to solve this issue. Might be helpful to someone.
The solution is not generic but quite specific to emulator/device LCD characteristic and ugly.
I used MonkeyRunner to issue touch, press and key events at specified screen coordinates to reach Home->Apps->Settings->Accounts and Sync->Add Account->Google->Next->Sign In and so on
More details about MonkeyRunner can be found here
http://developer.android.com/tools/help/monkeyrunner_concepts.html
I was trying to use Android Password expiration feature using
DeviceAdmin. When I call setPasswordExpirationTimeout() API , it only
sends a notification and doesn't actually force the user to change the
password. It only sends a notification after timeout:
V/DevicePolicyManagerService( 662): Sending password expiration
notifications for action
com.android.server.ACTION_EXPIRED_PASSWORD_NOTIFICATION
You have to get the callback in DeviceAdminReceiver in
onPasswordExpired() to force user to change password.
Any specific reason it's been implemented this way (or is it just to
give flexibility to the programmer)?
The only option I could see is starting activity with intent ACTION_SET_NEW_PASSWORD in the callback in DeviceAdminReceiver which the user can overrule by simply pressing 'Cancel' button.
How to 100% enforce the to change password ?
Have you tried looking at the DeviceAdminSample (source code)? The Android SDK comes with all the samples so you can easily add the ApiDemos as an Eclipse project and run it in the simulator.
I originally thought you could call the resetPassword method in the DevicePolicyManager, but you would need the user to have given you their new password to do that, which I assume you don't want to do!