i've seen apps like Cerberus which can survive hard reset of phone. I want to add similar functionality in my app that has security features such as anti theft. So my question is: How to create a app that will survive hard reset to preserve some data that might be even used for further purposes, How can i prevent my app from hard reset of device?
I went through the .zip file from one of the app which is used to flash the app to the ROM but it didn't clear my doubts , can anyone clear the idea about how it can be done
Thanks in advance!
You can only do this if you have root permissions by moving the APK to /system/app. SuperSu, etc. offer this as an in-app feature. If you really want reliable 'security features' though, the app(s) should be part of the firmware, anything else is snake oil.
Why not store some data in a file on the SD card? You can simply retrieve this later and phone reset should not affect this. /sdcard is not wiped in a factory reset AFAIK.
See:
http://www.androidcentral.com/android-z-f-factory-reset
https://android.stackexchange.com/questions/33082/does-a-factory-reset-on-a-galaxy-nexus-wipe-the-virtual-sd-card-directory
Related
I'm wondering about the impact on the Android KeyChain if an attacker manages to root the device. Can anyone shed some light on this? Could you also make the distinction between hardware-backed (f.i. devices like the Nexus 4) and non-hardware backed credential storage?
How much of a role does the passcode strength play in such cases?
In addition, I would be most grateful for sources where I can verify this information.
Thank you.
Here:
https://source.android.com/devices/tech/security/index.html
I believe this guys have a better and more concrete response to your question.
But hey, if you want my 10 cents... Android is "secure enough". A rooted device only means a user can retrieve otherwise blocked content and files from its device and run processes with full control, but it does not means it can simply see KeyChain in clear text pair values.
Even if you do have the skills to retrieve the key and break its codification (that actually could take weeks, or months, or more time then one would spend), it is way to much trouble to root a bazzillion devices out there.
If your phone is rooted, then the hacker will manage to USE the keys in the hardware store
He will not manage to COPY them.
Since USING the keys is really what a hacker wants to do, it does mean that your security is absolutely compromised if the device is rooted.
Does anybody has the Idea of making an android app undeletable.I want to install selected apps on the system memory so that anyone having an access to my phone cannot delete those apps even after resetting the phone...
What I earlier saw was that the apps installed on the system memory cannot be changed or modified by ordinary users...I tried resetting my phone but saw some apps preinstalled from the company remained and all the apps that were downloaded from the play store were deleted..
The answer I got from searching the web was that I could make install an Android app to the system memory...does it make the app undeletable even after resetting or formatting the phone?
You can achieve this by making your application by Developing a Device Administration Application, follow this link http://developer.android.com/guide/topics/admin/device-admin.html.
you could only do this if you root your phone and place the apps inside system/apps.
However, if this is about your phone, why don't you use a password protector for apps, so nobody can access the app manager?
Removing a users choice to uninstall your app, goes against everything most programmers strive for. It's probably against the Google T&Cs also. And as already said, other than Malware or some dodgy virus attempt, there would be no practical (ethical) use for such an app, IMO.
I'm experimenting with Android and I want to know if the following is possible: can I modify/patch an installed APP using another APP?
I know it's possible with root access, but I was wondering about non-rooted phones.
The only solution that comes to mind is the following:
-Create copy of original APK from data/app/ folder
-Patch/rebuild it
-Launch installation of the patched APK
The user would need to confirm the installation, but in theory it would work right? Any other tecniques that I haven't thought of?
In case you're wondering, I'm interested in injecting different strings and other resources into existing apps to provide translations or other modifications (ex: cheats in games), without changing the source of original apps.
You are right, you can do this on a device. Smali/Baksmali can be used on Android, also the apktool should be callable (I have only tried smali).
A year ago or so I have tried to use smali on a device and autopatch the source output. There was some information on the net (which I'm currently unable to find, sorry) but it was very limited, at least someone showed how to use smali/baksmali correctly. I have abandoned this approach because I'm not that good at java and the resources on a phone are rather limited.
Another approach I thought of was to offload the actual work to a server somewhere in the net. But this has its very own problem as you need to transfer the files, you may need the framework.apks, and so on.
This is interesting but hard stuff, you need to decode/parse/patch/rebuild apks and this has to be reliable. When you fail, the worst thing is that the users phone is broken (I wanted to modify critical system apks, bad idea ;)).
Better if the reinstall is seamless and for that you need: INSTALL_PACKAGES permission.
Now, INSTALL_PACKAGES android:protectionLevel is "signatureOrSystem" which means the app needs to be signed with the same certificate that was used to sign the system image.
Now to sign one's app with the same certificate as the one used to sign the system image might seem like a difficult if not impossible task since vendors may not be to willing to let other's use their certificate. Then again, some might want your app included in their system image. In any case it doesn't matter per sey since it's Android and Android has a ROM market.
Android ROMS are more and more synonymous with the general 'workings' or 'features' of Android. It is something that Android users come to expect. There are ROM manager apps available on the Android market that will list and install ROMs etc..
So in essense for an app to gain the INSTALL_PACKAGES permission one can make their own ROM, OR, work with the people who make ROMS and either have the app included with the ROM or use the certificate used to sign the ROM's system image to sign the app.
Again it is entirely possible that a vendor include the app in their "firmware" (system image). You would have to approach them.
:)
if both are your app use .content provider to share data between apps.and if other app is from another developer then you simply can't modify the app.
I want to prevent user from uninstalling my application.But my main objective is to ask the password before uninstallation of the applcation.Is it Possible in android.
Not without doing something fairly in depth. First of all, I'm completely against this in general. If it's their device, they should be able to remove your app from their device. That said, there are some corner cases where this might be valid. Manufacturers seem to do this a lot (actually, in my opinion this is one of those cases which is not valid but that's a whole other story). They install apps into the system partition, which the user doesn't have rights to modify. You could do the same if you're actually distributing the device. If you want to just do this for a regular Market app, then no.
No, you cannot prevent user from uninstalling your app.
What is the recommended way of creating a demo version for an application. Basically, the demo version will be fully functional, but will be limited to running it 25 times. My worry is that if the user uninstalls and reinstalls, the count will be reset.
I thought about writing a data file to the SD Card with the count of executions (hoping that would persist after uninstall), but I do not want to add that permission if I can avoid it.
Any suggestions on how to have some type of demo flag persist after an uninstall?
Even if it's on the SD card, there's no reason the user can't just go and delete your file themselves.
I asked a similar question a few months ago, but that was for a review copy, not a demo version. You could do something similar to what Dave Webb suggested and store each user's device id on a server. It would mean you'd both need the READ_PHONE_STATE and INTERNET permissions enabled and I can understand not wanting to add additional permissions. However, it is the only fool-proof way I can think of to guarantee that an application is only run X number of times, as any change you make to the phone can be reversed.
mbaird pointed out that anyone can install the full version of your app and try it for one day before requesting a refund; with this in mind you might make a crippled demo version that informs the user of this (not-oft-used) Market functionality.