I'm looking in to the capability of locking out a user from using my application further. Let's say your app will run for some time, and after some event (time expiration, # of app starts, etc.), you want to lock out the application, or brick the app in some way that it can't be used anymore
I've considered storing a piece of data either as an internal file, or as a shared preference value, that would track when the event is hit. The issue here I believe is that the user can go in to the OS and simpy clear the data, which would erase the progression to the lockout event.
Does the community have any suggestions of being able to lock out a user that can't be circumenvented, and doesn't require a rooted phone / unique ROM image? I am targeting Android 4.0+ if necessary, but currently have min SDK of 11, and target SDK of 15
I did this in an early beta by checking the date, then after the specific date, displaying a message saying it had expired and doing a divide by 0 error.
For a specific time after they have installed it, you will have to use an online service, or try and hide a file on the SD card (not guranteed to work at all).
Related
I'm working on an Anti-Theft app. Supposing that my phone is stolen, the first thing a thief will do is factory reset it, what means all apps and data will be lost.
I can convert my app to a System App and it will probably "survive" a hard reset but its data will be lost. Is there a way to keep the app and its data after a reset?
If it's not possible to keep its data, I thought I could store its settings in a file, but it would be erased too. Is there also a way to keep a file after a reset?
Edit: I don't want its data. I want its data not be erased after a factory reset cause erasing its data means erasing all user settings. Since I'm developing an anti-theft app, if a thief resets it, the app should keep its data (user data like a email and phone number) to contact the owner even after a reset made by the thief...
Why do you want a copy of the data after it's stolen (????). May be you have a use case. Anyways, if you are basing your app on API level 23 and above, you can have a look at this - https://developer.android.com/guide/topics/data/autobackup.html
This kind of automatically does what you wanted to achieve.The backed up data is on Google drive of the user account but it's of no use unless restored. Funny thing is, the autobackup feature would actually restore this data after the app is installed again (and the same user has logged in).
This will not really help if you don't have the phone (i mean if it's stolen :)). But if you want to persist app data across app uninstalls and factory reset, autobackup would do the trick for you (available only on API level 23 and above)
It is possible to recover data once a mobile is factory reset or so was uncovered by some Cambridge University researchers in the paper titled Security Analysis of Android Factory Resets published in 2015. I haven't had much time to go through it, but it looks promising.
It seems they did manage to get master tokens even after factory reset by utilizing some flaw in android system where the composition of flash drives make them dangerously hard to erase. Seems something you can experiment with depending on the usage. Do go through it once.
I am developing an Android application and I am planning to release this build in “Open Beta” on the Google Play Store.
I want to implement the app security logic which can ensure that the beta build won't work after certain date dd/MM/YYYY.
Currently, I can think of two approaches for this logic:
Retrieve current date from the device (using Android code to retrieve system’s time)
Issue: User can change the device date to hack the security system
Use time server to check the current date
Issue: My application don’t need internet connection and hence it will be bad user experience if I am asking for internet connection at the start of the app
I have following questions:
What alternate approaches (other then checking dates) can be used to ensure that the app won’t work after date dd/MM/YYYY?
How can I detect that the user has changed device date manually?
Other approaches to find current date even if device is offline?
EDIT:
The beta build has all the premium features free and hence I don't want beta build to work after date dd/MM/YYYY.
NEW QUESTION:
I have implemented the code to check the real date using time server at the start of the application. What possible hacks can be done by users to access app after the date dd/MM/YYYY?
Thank you in advance.
Agreed you don't wish the device to be dependent on the internet. At some point however, the device will be online (A human will never leave his/her device offline since the installation of your app). At that point you check the time stamp and proceed from there. You could disable the app or perform any action. Many apps exhibit this behavior to run an action when and only when the net is connected.
Other than the net and device clock the only other final solution you have is to run a background timer from the moment the app is installed. Good luck
The new Permissions model includes "Internet" as default (you don't need to request it specifically anymore).
If you don't want to use internet you can use following idea. Get current timestamp when running application first time and save it preferences or in external storage. check current time stamp with saved timestamp every time user launches application. please check for negative values to prevent user setting previous dates.
You can check the date, and at the time that the date exceeds the deadline, you can save a variable in preferences, so that when you enter the application, even if they change the date, the application will detect that date been exceeded.
I'm curious about this. I have an app called GoSMS PRO and an app called Contacts+ installed in my phone. They both popup an alert notification when a text message is received. However, GOSMS PRO always beats Contacts+'s popup. I was wondering how this was happening in a programming perspective? Is there a way to give a certain app more preference than the other.
From security and permission side every app from Google Play has similar privilege, if they are not signed by the certificate of device manufacturer. This also means that none of the app will get extra preference.
Some time app do many type of checking/initialization/loading before showing their UI and when this type of things happens apps take longer period to load or display UI.
Most common things people do
Creating and initializing database
Reading database.
User validation (reading file)
Device state scanning(network)
Most common case is database access. I wonder if the app reading Content Provider before showing UI it might take long time depending on your device hardware and number of contacts.
Key strategy would be showing the UI right way and load data in background. Android has lots of Asynchronous api, just to avoid this type of scenario.
Does anyone know if there's a way to either keep the user from uninstalling an app from an Android phone or reinstall it on removal? Before you flame me, please know that I have an app that's intended to be installed on the phone by a parent/employer/etc. and has a password-protected settings screen; the user would need to enter the password to remove the app.
What if you have it send an email alert to a registered email address on uninstall?
On the topic of email notification when your service is uninstalled--
A lot of security software runs multiple processes which monitor each other, so that it's more difficult to shut the system down. You could do something similar with two services installed, each monitoring to see if the other is installed. If something goes wrong, they can send off the e-mail.
Not without modifying the kernel, or reducing the user priviledges on the device. Think of it as a Linux computer, where the cell phone user has root.
Can you prevent them from removing your app? No.
But you can make it painful and difficult enough that it's not worth it, and include alerts that indicate it has been removed.
First, I would modify the software so it requests and successfully answers a cryptographic challenge/response periodically from a remote server - daily should be enough, and wouldn't impact battery use. This way your server knows when it has been disabled (could be sold as an additional $10/yr service charge) and you can alert the purchaser.
Second, I would tie the software into the system at the driver level so that removal also removes text services. There are drivers or services that the texting application uses that could be replaced with your custom versions, and on removal would render the texting app useless. Chances are good that you already tie into the system in a similar way to block the texting app (and other apps) while traveling too fast.
Third, I would consider installing a monitoring program that runs as a separate process (check out how the latest viruses operate for clues). It would check to make sure that not only is the app still running, but it's running the latest version, and there isn't a GPS simulator or other program that prevents your app from getting correct GPS data.
I'm curious how you differentiate between the driver texting and a friend in the passenger seat texting on the driver's cell, though.
-Adam
Well, solution would be to mount /system/apps/ to be writable and put your app there once.
When you restart the phone it would automaticly install it and prevent a user from uninstalling (as every app in that folder, list it to see it). That's how mobile providers force user to have they app.
However, user could always delete this app by rooting + mounting /system/app/ to writable and then to delete. But "normal parents" can't do that :)
Regards
P.S. This question is two years old, I've notice it just now... :S
I'd highly doubt that's possible. The permission structure of Android is going to give the user full control over what's happening on their phone (to some degree) and not being able to uninstall an app would be a pretty large security risk.
If you modified the Android core, it would probably be possible, but if you're trying to force something onto an end-user, that's a bad idea.
Maybe there's a better approach to what you're doing? If there's some required functionality in the app to keep the user from uninstalling it, that would be a small incentive to keep the app, but there's no way to keep a user from removing something they really don't want. You could have the app report uptime to a seperate server so you could be notified if the app was removed, but I think that's as far as you're going to get.
Does anyone know if there's a way to either keep the user from uninstalling an app from an Android phone or reinstall it on removal? Before you flame me, please know that I have an app that's intended to be installed on the phone by a parent/employer/etc. and has a password-protected settings screen; the user would need to enter the password to remove the app.
What if you have it send an email alert to a registered email address on uninstall?
On the topic of email notification when your service is uninstalled--
A lot of security software runs multiple processes which monitor each other, so that it's more difficult to shut the system down. You could do something similar with two services installed, each monitoring to see if the other is installed. If something goes wrong, they can send off the e-mail.
Not without modifying the kernel, or reducing the user priviledges on the device. Think of it as a Linux computer, where the cell phone user has root.
Can you prevent them from removing your app? No.
But you can make it painful and difficult enough that it's not worth it, and include alerts that indicate it has been removed.
First, I would modify the software so it requests and successfully answers a cryptographic challenge/response periodically from a remote server - daily should be enough, and wouldn't impact battery use. This way your server knows when it has been disabled (could be sold as an additional $10/yr service charge) and you can alert the purchaser.
Second, I would tie the software into the system at the driver level so that removal also removes text services. There are drivers or services that the texting application uses that could be replaced with your custom versions, and on removal would render the texting app useless. Chances are good that you already tie into the system in a similar way to block the texting app (and other apps) while traveling too fast.
Third, I would consider installing a monitoring program that runs as a separate process (check out how the latest viruses operate for clues). It would check to make sure that not only is the app still running, but it's running the latest version, and there isn't a GPS simulator or other program that prevents your app from getting correct GPS data.
I'm curious how you differentiate between the driver texting and a friend in the passenger seat texting on the driver's cell, though.
-Adam
Well, solution would be to mount /system/apps/ to be writable and put your app there once.
When you restart the phone it would automaticly install it and prevent a user from uninstalling (as every app in that folder, list it to see it). That's how mobile providers force user to have they app.
However, user could always delete this app by rooting + mounting /system/app/ to writable and then to delete. But "normal parents" can't do that :)
Regards
P.S. This question is two years old, I've notice it just now... :S
I'd highly doubt that's possible. The permission structure of Android is going to give the user full control over what's happening on their phone (to some degree) and not being able to uninstall an app would be a pretty large security risk.
If you modified the Android core, it would probably be possible, but if you're trying to force something onto an end-user, that's a bad idea.
Maybe there's a better approach to what you're doing? If there's some required functionality in the app to keep the user from uninstalling it, that would be a small incentive to keep the app, but there's no way to keep a user from removing something they really don't want. You could have the app report uptime to a seperate server so you could be notified if the app was removed, but I think that's as far as you're going to get.