I'm planning on developing an app and I don't want it to be 'online only' so I want to be able to store data internally on the users device, app data. Is this 'secure'? Or can people fiddle with the app data? Is there ANY secure offline way to store app data?
I tried reading http://developer.android.com/guide/topics/data/data-storage.html#filesInternal which suggested it is secure, but somewhere else someone said rooted phones could disregard this. So is it secure or not? -If so is there any way to 'block the app' if the phone is rooted?
On a rooted phone the user can read the data.
With JellyBean Google tried to encrypt application data to prevent that from happening, but this feature is disabled for now because it broke too many apps.
Some ways of rooting the phone you can detect, for instance using roottools.
But there is no reliable way of detecting all the ways in which a phone could be rooted.
And even if you could make sure the phone is not rooted, what would prevent the user from rooting the phone after you downloaded the data?
Be aware that even if you don't download the data to a file: Using a rooted phone the attacker could still transmit the .dex file of your application to his PC. He can then decompile it (for example by using dex2jar and jd-gui) to gain information of how to read the data from your server.
Thus any info your app accesses from the server an attacker can potentially access as well.
I have faced the same problem but found encryption is the only mechanism to handle the situation but ofcourse that increases burden on the device but if that is mandatory then only option is using Encryption or Steganography
Is this 'secure'?
It is secure from other apps by default.
somewhere else someone said rooted phones could disregard this
Users who root their phones can run apps with superuser permissions, and those apps can access any file on the device.
Hence, data on internal storage is not secure from the user, because it is the user's phone, not yours, and hence it is the user's data, not yours. Most users will not touch your data, but all users have the right to, if they take sufficient steps to do so.
If so is there any way to 'block the app' if the phone is rooted?
There is no rock-solid way to determine if a phone is rooted.
Related
I'm building a simple Android application for my self. It is a simple password manager where I can store all my accounts. I just want to know if is it possible to hack or extract the data of Android app even if it's offline?
Thank you
Are the password hashes stored server or client-side? If the passwords are stored client-side, then yes, it is indeed possible. If the passwords are stored in plaintext, all the better for the attacker who has local access to the device.
My hope would be that you used symmetric-key encryption on the passwords which can only be decrypted with your master password utilized as the key and that you minimize plaintext exposure even within memory.
No one can transfer data to a remote server when the device is offline, but there are other possible ways considering your problem like,
Create a program to collect data from your database and send it through SMS (Considering passwords are textual data and small in size)
Create a program to collect data and stay in low profile and send them to a server when the device became online
Technically possible, But don't worry, chances for someone doing something like this is very low,
Go with your idea and encrypt data if you can to avoid easy stealing.
Happy coding :)
I would always assume yes with these kind of things. I would recommend looking into encryption of the data, a simple splash screen for an app password would work. I would make sure that the private encryption key something that can only be generated by that password entered at the lock/splash screen. Other than that, on stock roms you should be alright but obviously dont leave fishy apps on your device. If I was building this I might even look into 2 factor auth via nfc as well.
Yes, It may be possible!
Internet is not only thing which connect port or sharing of port,
There are many options like bluetooth or Hostpot...
Through which we can connect two device jz we have to write program which access these tools and gives command to victims phone....
For online
We have msfvenom payload to hack any android...
Its quite easy process in this process we forword victims phone port to attacker os....
Its so easy
For offline services we can hack device using BT remote control or same as with wifi...
as you know, we can access to any folder on android device after rooting. My app has a database and some other binary files. I know that I can't prevent user see my files and database. But is there any way to prevent user copy it to other android devices for illegal use?
One option is to encrypt the data stored in database. Normally it is stored in plaintext. SQLCipher, I believe works for Android too..
From Android/google official forums,
Users with rooted phones can get access to any files they want.
Otherwise, databases in the conventional on-board flash location are
secure.
If you want to prevent that (routed access) only option is to encrypt it. However long it takes.
EDIT:
What I am saying is, it is never completely secure. You can make it as much difficult for hackers. You can save the decryption key (only) in the server (if downloading entire data from server is time consuming) but then app needs net connection to work. You can save the key in a hidden file (filename starting with .), but rooted users with knowledge about linux type file system can find them. Or you can do as Teovald suggests it in the comment to this answer, by generating the key in run time using any hash algorithm from any constants (like IMEI number), but it also need some processing. The more you try to secure it, the more works you need to do to use it. So it is a 50-50 kind of situation, and decision should depends on one's requirement.
Apart from encryption (see Krishnabhadra's answer) the only way to ensure critical data is to not have everything on the device. So you could access the most critical data always online only.
Of course this has the downside that not all of your app is usable if the user has no connection. You have to balance between your need to keep data safe from prying and allowing instant offline access to data.
If you can alleviate the former problem depends on the data. If all is critical, nothing is allowed on the device. Users will understand and begrudgingly accept this. No one would want a copy of his bank account on his device. But you should allow access to everything that is not critical even in offline mode.
I want to remotely wipe email only (not factory reset) with/ without Device Administration. Is it possible?
Note: The user may use any type of mail client.
After reading docs, and as my experiences, I think without a factory reset, you can't.
Unless the user is running under root account, you can find all other apps' data and wipe it. The hard part is "any type of mail client". There will be some apps you don't know of. And maybe some apps store data internally (device's memory) or externally (SD card…).
In any case, without factory reset, Device Admin can't help you.
I want to build a security related application. I would be storing some important information (files) in my Applications private memory.
Can a FileObserving application detect/access changes to my internal app section in case device is rooted?
I have looked here .In the question itself it seems that even after rooting , other applications wont be able to access my internal app data unless the user changes the access permissions on those files.
Can an application change file permissions of my app when rooted and access those files?
I can store the files in encrypted format but i just want to know how easy is to access my apps data after phone is rooted.
Yes #Alok. Private data of other apps can be seen on rooted phones.
Can an application be remotely uninstalled/deleted?
We cannot uninstall an application without user intervention, therefore uninstalling/deleting an application remotely is not possible.
This is actually possible but you cannot do it. Only Google can (to remove malware downloaded from the Market I guess)
If you want controls like a remote wipe of data/ encryption though, read about Device Admin