I'm rather new to Android developing (a few months), and I'm developing Android application, that must have some security mechanism, that require licensing per device not per account.
I thinking about the scenario:
client have a multiple similar Android devices (for example tablet, the same model)
client buys first license (application gets the license data and store it in the device)
client create snapshot of first device and use it to make software duplication with other devices (licenses allow to run without internet authorization when user have full commercial license), even after all updates (done in first device)
And here's my question: is it possible to detect (or prevent) by application that kind of duplication? Even with required internet connection in every run (or uuid generated by application instead of getting hardware id), duplicated devices still will be recognized as the same model...
Or maybe I'm wrong, and that kind of duplication isn't possible?
There are several more or less unique IDs that can be used to identify Android device. See this example - you may need to use all of them.
On a rooted device with custom build an attacker can obviously fake any ID.
Related
I have a new project at hand where I need to make two android applications
1)Main Controller application (be installed in one device say its name be X)
2)Sub Child application (be installed in devices that need to be controlled by X )
So I want to get an idea/picture about how one android device like (2) can be managed fully(i.e. blocking applications or making them accessible for some interval / block calls / track location of user ) from another device like (1). So far I searched Google ,asked my seniors about the same but none was able to help me out.Found many scattered info (like need enterprise app to do this i.e use android management API or Device admin ) but not being able to get any clear idea about the work flow.
Thus now this the last place I can think of for helping me out with this work flow.
Reference
Update: Based on what #Fred said i.e. to use android management API (also based on the answers that he posted here) could we somehow have own custom web server and manage the interactions that EMM console does with all the child apps through our own API's(the same API's which we would call from the parent app.) ???
In other words instead of controlling form the EMM console, I would like to control those child application from another parent android application.
By FCM or Socket programming you can easily communicate with other app. Suppose 2nd app receive a call then 2nd app call a api of server about the information, then server knock 1st app by fcm or socket, then 1st app make a decision and submit the decision to server by API, And finally server submit the decision to 2nd app by FCM or socket.
You can check out the Flyve MDM which is an open source mobile device management solution including both agent app and web panel for management.
I have an app that has some unknown devices listed in the analytics portal I use.
I was wondering if Android and iOS have a method that I can call which tells me if the app has been downloaded and opened using an emulator?
I've thought of accessing the device's IMEI, but this is only for mobile phones and doesn't cover tablets. Any help would be greatly appreciated.
You can try filtering out the Connecting device's by their device's model number, name and id.
For that you first need your app to parse the data from the phone, and then send this data to your server while authentication.
The server checks the robots list and then authenticates the exceptions (genuine users).
NB: Nowadays emulators are updated, they are capable of spoofing a Device Name, Model and ID. So it's a hectic job to detect spoofer's.
Just a Mere Concept out of Thoughts, Might possibly work!
There are couple of methods out there. Android includes a built in method,but some of them can be maneuvered.
Android includes some system properties that keep such information. they can be accessed using the getprop utility and there are ways to get the problematically.
More specifically, the "ro.build.characteristics" will contain the word "emulator" when running on emulator.
Long story short: There are couple of libraries that are capable of doing this and are consider reliable.
Here is a good example:
https://github.com/framgia/android-emulator-detector
For iOS see this answer
As a side note. if you are concerned about having a safe environment to run your application, take a look at SafetyNet
I am developing an app that will work in 2 different Android environments (consumer & corporate markets). Lets say it is a texting app with a dozen configuration parameters to manage.
The first environment is a standard Android device that has no Android Enterprise (AfW) features enabled. So there is no EMM (MDM) to supply an Android Agent/Client app to be a device/profile owner implementing a Managed Configurations Provider.
The second environment is within a corporation. An EMM (MDM) is used to manage all their corporate owned devices. The EMM is either a device or profile owner. They are set up to use Managed Configurations and require remote configuration of this app.
To support both of these cases, how should this app retrieve configurations?
My current thought is to check if the instance of my app belongs to a device or profile owner. If it does, I will use managed configurations. If it doesn't, it will allow on-device, within-the-app configuration using SharedPreferences.
I believe this will work, but seems too much like a hack. It also restricts a company using a device/profile owner from giving their users control. I imagine other Android apps must be starting to encounter this situation with the adoption-rate of Managed Configurations increasing. Is there a better solution for this scenario?
You can always call RestrictionsManager.getApplicationRestrictions(), whether the device is managed or not:
if the device is managed and the company has configured the app, it will return the configuration,
if the device is not managed or if the company has not configured the app, it will return an empty Bundle and you can give control to the user.
The problem:
In one of my Android apps, users should be allowed to make changes to text data on my server (via HTTP request) without being required to login or sign up.
In order to prevent spam and abuse of this function, I would like to identify a single installation of my app so that I can "ban" this installation. Of course, the user who is abusing my service could uninstall the app and download it again or something like that. But this is truly an obstacle and makes abusing the app more difficult.
So I have to find a way to identify an Android device or at least a single installation.
As one can read here or here the physical device ID of an Android phone is not a good solution. So what else could I do to achieve this?
My idea:
When the app is started for the first time, create an (almost) unique hash (maybe SHA-512) of the current timestamp and a huge random number. Then save this value on internal storage and always use it to identify this device or installation later (on HTTP requests).
What do you think of that solution? Are there any better approaches?
This is almost what the Android Developers Blog suggest, right? But are they really writing to the internal storage? They don't use openFileOutput() as suggested here.
And, at last, a question that is probably a bit stupid:
How can I use the code shown on the Android Developers Blog? Can I add that public class to my main activity .java file?
Thank you very much in advance! :)
In my current Android project, I use the Bluetooth mac id as the identifier because of what I read about the physical device ID not being reliable. Of course, my app is very specialized and REQUIRES bluetooth AND internet anyway, so this works.
Specifically I have a way of calling my web server from the phone, passing in the Bluetooth mac ID. I can check license status (for trials/expirations), where you might check against a ban method to see if that id is banned.
Since my application requires bluetooth, this worked perfectly for me since [mostly] all bluetooth mac id's should be unique.
Just an idea.
a customer ordered us a tablet application, but they need a lot of access restriction to lock device functions such as:
Permit datas transfer only inside the application not outside
Restricted user access on the device (something close to admin and normal user permissions)
A framework/API that permit to create an internal mail reader/sender
Public API of iOS makes impossible to fulfill those requirements. I was wondering if Android makes life easier when there are those kind of restriction.
UPDATE: To make understand better the field of use. I'm talking about an application that "force" the device to be used just only with that application for an Enterprise use. The app is just like a CRM but the device should be blocked in some functions to make users only work with them and NOT playing or use facebook, market etc.
Not sure you can achiev all of those, but you should look into the device policy for android here and here.
1) Not sure what you mean by point 1. If you mean controlling all data transfer from the device, you might be a in a bind considering the only way to get a firewall running on android is by rooting the device. Perhaps you could look into writing a custom launcher/home like KidZone that only shows approved apps? - Not nearly as secure, though.
2) Honeycomb, so far, doesn't have multi-user support - though you can have multiple google accounts registered. The custom launcher could help in this regard though.
3) I don't see the point of doing this unless they already have a custom mail infrastructure in place. Otherwise just go with exchange.
Permit datas transfer only inside the application not outside
Do not request the INTERNET permission.
Restricted user access on the device (something close to admin and normal user permissions)
You would have to implement this yourself.
A framework/API that permit to create an internal mail reader/sender
I have no idea what this means.