I'm making a security program and I'm using DeviceAdmin mechanism. I'va made a DeviceAdminReceiver, it works flawlessly.
I need to protect my software from deinstalling. On the first run user enters the password for uninstallation.
In onDisableRequested I'm using setPasswordQuality(), setPasswordMinimumLength() and finally lockNow(). The device is locking and asks for my password. It is fine. When the user enters matching password the device unlocks, user sees my warning like #it's not a good idea to disable bla-bla-bla" and disables my admin app.
But! The password that was set by my code isn't cleared and if the user used some pattern to lock his phone the phone is locked by my password for good!
The question is: how can I revert changes to locking scheme? (i.e. restore it to visual pattern if it needs)
Roman, based on your description, I am not sure which case you are trying to protect from.
It looks like you are trying to protect from :
a thief, who knows a device passcode (so you are trying to use another passcode)
This is quite strange case. I would rather ignore it, because it has a lot of other implication.
a thief, which stole unlocked phone and wants to uninstall your device admin
In this case, you don't need to reset a password. All you need to do is lockNow() to make sure
that he can't uninstall (because he doesn't know the password)
Related
I am creating an Android app in which the user must enter a code to use an action (Eg. Pay, add card etc. ).
Instead of implementing my own custom code, is there a way for me to verify if the entered code is the same code to unlock the device and if yes then allow, if not then dont allow.
I was not able to find the solution for this.
is there a way for me to verify if the entered code is the same code to unlock the device
No. From a security standpoint, that would be horrible, as it would allow you to brute-force determine what the user's PIN or passphrase is. Also note that users do not necessarily use a PIN or passphrase to lock their device (e.g., use a fingerprint).
Hello stackoverflow users!
I'm making an app that requires reading and setting the lock screen password depending on which state the app is in.
Is there a way to do this without rooting? Or are there any alternatives like making the user reset the password for the different states so the app avoids the problems involved in reading the already existing password?
Just to make things clearer:
App state 1: pattern screen lock password
app changes screen lock password to state 2
App state 2: no password (slide screen lock)
Thank you in advance,
Peter
The only way to change the lock screen password is to make use of the device administrator class. Do note that it is only for Android 3.0 and up.
Here is the link
How can I password protect the Applications button on my Home of my android phone (samsung galaxy s captivate).
I know there is password protect application out there with a list of application you need to add but I don't want that. I want to protect the whole access of the applications.
I'm pretty sure that blocking access to an application from the Home Screen isn't common practice, actually I think you can't even control this as it's part of the Android OS itself. After all, what's the point in blocking user access at the Home Screen since the user already has to unlock his phone in order to get there... usually trough a password.
A viable option would be to greet your users on a Login Activity and you'd have them identify themselves before they can access the actual Application functionality.
If you really want to start blocking users at the Home Screen, you're probably looking at creating your own ROM and Application. But then, no one will want to re-do their whole OS simply to run your application.
Write your own home screen, one that prevents launching any applications unless the user authenticates.
I am working on security Related application in android. I am using DeviceAdminReceiver to lock the device,set password and to wipe data.Everything working fine.But My problem is wen i lock device using admin other user(other than device owner)can Guess and enter any random passwords device may get Activated. If this is the case my Application not Effective.I am also using Maximum failed password attempts to wipe after few wrong attempts, I want to hide Enter password to unlock screen in some special situation.My Question is
When Device Locked by DeviceAdminReceiver, How i can prevent unauthorized user to enter password?
reference: developer.android.com sample code. Thanks in Advance.
I don't think you can completely hide this unlock screen. I would suggest setting a very hard to guess password (very long, mix letters/numbers etc).
I also used an android application at one point (Lost Phone) that put a screen overtop of the current screen (whatever it was) and whenever you tried to close it it reopened, effectively preventing anyone from using the phone until they wiped it, or entered the correct password. That approach is somewhat more 'hacky', and doesn't stop someone from uninstalling the application using adb.
I am developing an application where I have to change the screen lock password on a button click,can anybody tell me how can I do this.
If you are talking about the unlock pass word set in the device settings by the user then the answer is you can't.
If an application could change the unlock password/pattern without user interaction then these security features would be mostly useless. A rogue application could in theory lock the user out of their own device if this were possible.
Edit: if your aim is not to change this value without interaction but just to send them to the correct settings page. You might be able to do that some how. You'd want to look into what intents you can use to start the Settings Activities. But if you are developing this application for use by the general public I would strongly recommend you rethink having try to do anything with the users security settings. As a user if an application prompted and then sent me to the security settings page with the intention of having me change something in there I would immediately uninstall it.
Edit 2: I've never seen it until just now so I don't know for sure what they used to achieve that. Since it states that must be android 2.2+ though I would assume they are using the Device Administration APIs The docs seem to indicate that it can "Prompt user to set a new password." Which I would think means that it is just going to start the settings activity for them. It is not actually changing the password value by itself. This whole API is subject to user activation also. So even if you get installed on a device the user must explicitly "activate" your app before it is able to make use of any of the admin APIs
I am sure the only way this is possible is if you signed your APK with the device key. This way it could access API's that are limited to system applications. This isn't possible for a normal app, only one that is baked into a custom ROM or device manufacturer ROM when building Android from source.
I do not exactly understand what you are trying to do. If you wish to change the lock screen password programmatically, and your'e application is A device administration than you can call:
resetPassword method of DevicePolicyManager like this for example:
m_policyManager.resetPassword("bla bla", DevicePolicyManager.PASSWORD_QUALITY_SOMETHING);