I'm developing a system app in android. However, I will need system certificates for that purpose. I wanted to know, if I sign my app with AOSP system certificate, will it work on Nexus devices?
I know manufacturers like samsung and HTC have their own system certificates, so I cannot run my system app on their devices. Just want to know, will my app work on Nexus devices?
You won't be able to sign your app to make it a system app on Nexus devices. The key used by Google is private. It would be a big security issue allowing "random developers" to create system apps.
But there are some "androids" using the android debug key as system signature (e.g. most custom roms (newer cm versions won't work because they have other security mechanisms implemented to avoid misuse of system apps) or a lot of "low-budget" china manufacturers)
Related
Given self-signed CA certificate file which was generated on device, I'm trying to figure out a way to install it on work profile, since the traditional way of installing CA certificates using android.security.KeyChain.createInstallIntent() no longer works, neither on personal profile nor work profile.
I noticed that on some devices (for example, Pixel device), there is no system settings UI for installing CA certificate on work profile (only for personal profile), while other devices (for example, Samsung Galaxy S10+ and Galaxy S8+) does provide a system UI to install CA certificates on work profile.
But since it's not available across all device manufacturers, I cannot rely on it.
According to Android Developers documentation of Android Enterprise changes in Android 11, only DPC apps or apps delegated by DPC apps can install and revoke CA certificates in work profile programatically.
But not all DPC apps support this API (exist in Test DPC but not in Microsoft's Intune Company Portal).
I'm lost, does anybody know a way that will always work?
It's been a while and I made progress and observed multiple MDM platforms.
Most MDM clients does use this API to install certificates programmatically but it's being activated from the MDM management platform, rather then the MDM DPC app itself.
So if my goal is to install certificate that is generated on device it cannot be done using the MDM DPC app (all least not using the MDM platforms I encountered).
However, I can still install certificate using the MDM management platform, usually for root CA certificates which are deployed on multiple devices, rather then per-device certificates.
Is their an android equivalent to the Apple configuration policy?
https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/Introduction/Introduction.html
We are deploying some android tablets (company owned) in a corporate environment and need to lock down specific features in the tablets. Mainly to turn off the camera and the lock which applications can be run. Possibly forcing install of certain applications.
Mainly to turn off the camera
That is supported via the device administration API.
the lock which applications can be run
There is nothing in the Android SDK for this.
Possibly forcing install of certain applications
There is nothing in the Android SDK for this.
Try out android for work..
https://www.google.com/work/android/features/
It should give you ways to remotely administer android devices.
App security
Work apps are deployed through Google Play for Work. IT can prevent
installation of apps from unknown sources and apply app
configurations.
Does anyone know how to build a test app that plays well with Samsung Knox? What do I have to so differently to build an app for samsung devices that have Knox installed on them?
From KNOX 2.0, App wrapping is not required.
This is from the Samsung KNOX 2.0 whitepaper:
The KNOX 2.0 platform features major enhancements to the Application Container from the original KNOX platform. The most significant enhancement is the elimination of application wrapping. This is achieved by leveraging technology introduced by Google in Android 4.2 to support multiple users on tablet devices. This enables enterprises to easily deploy custom applications without requiring Samsung to wrap the applications. It also reduces the barrier to entry for independent software developers wishing to develop applications for the KNOX container.
Complete White paper can be found here: http://www.samsung.com/ca/business-images/resource/white-paper/2014/03/Samsung_KNOX_tech_whitepaper_Final_140220-0.pdf
Multiple user: (Complete Ref: http://developer.android.com/about/versions/android-4.2.html#MultipleUsers)
Android now allows multiple user spaces on shareable devices such as tablets. Each user on a device has his or her own set of accounts, apps, system settings, files, and any other user-associated data.
As an app developer, there’s nothing different you need to do in order for your app to work properly with multiple users on a single device. Regardless of how many users may exist on a device, the data your app saves for a given user is kept separate from the data your app saves for other users. The system keeps track of which user data belongs to the user process in which your app is running and provides your app access to only that user’s data and does not allow access to other users’ data.
Might want to take a look through here https://www.samsungknox.com/en/blog/what-app-wrapping and here https://www.samsungknox.com/en/resources.
Looks like you have to develop the app and then send it in to Samsung to have them 'wrap' it.
Personal data on Samsung devices is protected from mobile threats such as ransomware, malware, and unauthorized rooting, even while you’re using your device.
Secure Folder
Samsung Pay
Samsung Health
Samsung Pass
Empower enterprise mobility by leveraging Samsung Knox and ensure seamless device deployment with advance security, taking device management to next level.
I'm sure this is a dumb question but Googling got me nowhere.
Does each device vendor do its own Android build? More to the point, does each device vendor sign its build with its (the vendor's) own system signature key, such that we should not expect any two Android devices (at least, devices from different vendors) to utilize the same system signature key?
Example: I know I'm not the first person to want to run an app with sharedUserId="android.uid.phone" and process="com.android.phone". But this requires my app to have been signed with the system signature key. If, by some miracle, I were able to obtain the system singnature key for my Acer device and sign my app with it, would this restrict my app to run on Acer devices (or perhaps just my particular model), since other vendors' devices would have their own Android builds and their own system signature keys?
More to the point, does each device vendor sign its build with its (the vendor's) own system signature key, such that we should not expect any two Android devices (at least, devices from different vendors) to utilize the same system signature key?
Generally, yes. At least, all the serious vendors do.
If, by some miracle, I were able to obtain the system singnature key for my Acer device and sign my app with it, would this restrict my app to run on Acer devices (or perhaps just my particular model), since other vendors' devices would have their own Android builds and their own system signature keys?
Well, your app probably would run on other devices, but it will not be able to obtain that shared user ID.
Is it true that ANY Android phone can be used for App development and testing?
I'm trying to find some inexpensive off-contract hardware for development and testing of our Apps. I've found some devices I can buy New with No Contract for $150 to $300 (like the HTC Aria or the Huawei Ascend). Is there anything that would prevent me from using these devices for USB debugging and app testing? I guess I'm concerned because I've read how the HTC Aria has been locked down by AT&T to limit applications. I suspect this won't affect me loading apps using ADB, but I'd like to be sure.
Yes, you can use any phone for testing applications via the Android development tools. This includes the HTC Aria of what I've read.
You can read more here: http://developer.android.com/guide/developing/device.html
And it is not true what Sam Dufel wrote. A developer phone have messaging and phone features. It's just as any other ordinary unlocked phone. The only difference between the dev-phones is that they have unlocked bootloaders so you can install and customize your own Android-system and install it. It is rooted by default.
Google actually sells development phones - after you create a developer account, they give you an option to buy one of a couple different models. You don't get any messaging / phone features though, obviously.