I would like to know how it is possible to protect an Android application from illegal copies not going through the Android market.
I know I can protect the code against reverse-engineering using ProGuard.
I am wondering if there is a good solution to avoid anyone to copy the apk file to another device and install the app. Since I will have full control of all the devices where the application will be installed (it is a company internal app), would it be possible to link the app to the device serial number? In that case the app will run only on those devices which serial number is in a list of allowed ones.
I am not looking for hyper security, I just want to keep the casual pirate away. I understand a professional hacker would hack it anyway if he wanted to.
Any suggestion??
Many Thanks
You could use a whitelist of IMEI numbers and quit the application with an error if the number is not in the list.
It is possible to access the IMEI through TelephonyManager. You need the READ_PHONE_STATE permission for that.
Please also have a look at How to programmatically get the devices IMEI/ESN in Android
Related
I want to access the apk file of any app before installation.
In more details: in google play store when the user clicks on Install button I want my application to access the apk file of the application that the user wants to download, and analyze this apk file and be able to whether allow the installation or stop it.
is that possible and if so how to approach this
On Android this functionality was introduced in Android 4.2. It is usually used by anti-malware products like Google Play Protect is known as a "Package Verifier". There is a good blog post on it here.
The short answer is this has to be done as part of the phone manufacturing process as it is so critical to security. So the answer is it can be done, but if you write this code you will need to get a phone manufacturer to include your code as part of a phone system image.
Most third party anti-malware products instead rely on analyzing the APK after the install happens by listening to the package added notification.
Definitely not possible in the way that you want. Android's OS is pretty well locked down. You might be able to do something if the device was rooted but at that point you may as well write your own OS fork. You can attempt to do someting with https://developer.android.com/reference/android/content/Intent.html#ACTION_PACKAGE_ADDED broadcast but you will not be able to analyze the apk freely nor will you be able to stop the installation of it.
Big company X provides its employees with Android phones. Those employees don't necessarily own a Play Store account (gmail address required AFAIK).
At the moment, my alternative is to send a link to our .apk file, however the installation procedure might be quite complicated, not even mentioning the updates.
What's the best way to deploy my app to these phones?
Uchiha Madara is right, but it's not very convenient. They can also subscribe to Google Apps for Business ! Besides, if phones are Lollipop phones, you can very easily enable Android For Work, with pretty useful features to controll mass-hardware !
However, it's not the unique solution. You can self-host your apk file as you do, make a webservice and make your app able to communicate with to check updates ! The only problem is to teach users how to allow install from unknown sources (in security settings), which may be hard if they aren't very confortable with Android phones.
Other solution, some companies offer whole turnkey solutions, like PushLink
You could try HockeyApp to allow the users to install the application and know them about the updates.
http://hockeyapp.net/features/
My guess is you will have to use DropBox and they can download it as long as there is Wi Fi of course and ro to the settings > security and check Unknown sources so that it can install the apk from the internet, they can then go to their downloads folder and see the apk there, then install it onto their phones. Hope this helped!
Source: http://www.cnet.com/how-to/how-to-install-apps-outside-of-google-play/
I think the best way to achieve your requirements is using Microsoft Intune.
Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). You control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications. For example, you can prevent emails from being sent to people outside your organization. Intune also allows people in your organization to use their personal devices for school or work. On personal devices, Intune helps make sure your organization's data stays protected and can isolate organization data from personal data.
I need to increase the security of my android app. Actually my android app. will not be for Google play Store (which provides some licensing options to protect your app.) it will be used for some local companies that used the same app (Desktop app). However, I want to support two versions for my app. which are:
Demo version: for testing aims (after the given period end, the app will stopped!)
Actual version: this if the user want to pay for the app.
What I need:
To increase the security of my app. from installing it another time or on another device for the same user!
For my code I used ProGuard which is a tool provided by Android that lets you obfuscate (make harder to read) your code during packaging. cause there are many reverse-engineering application that used for unpacking the compiled code and viewing the source code (actually I tried some of them and its really amazing to restore the sourse code from .apk!) ..
I think to use the MAC address of each device the app. installed on and then store it into internal database and generate a number form it (in somehow), then ask user enters it (which I the one who knows this number and provider for it) if it is true, the app run else not. But, it's just idea I do not know how this can happen or even from where I can start or even also if that will help!
I tried also SharedPreferences But this does not help!
Actually I do not need for external database on server to read the username or the password for eligible users for app. I need to do that by my app. itself!
In sum please,
How can I protect my app from installing many times for same user or continuing using after testing period ends, etc. (I mean make it more secure)!
any ideas, any suggestions, any useful examples or sites are also desirable.
Sorry for this long question,
Does anybody has the Idea of making an android app undeletable.I want to install selected apps on the system memory so that anyone having an access to my phone cannot delete those apps even after resetting the phone...
What I earlier saw was that the apps installed on the system memory cannot be changed or modified by ordinary users...I tried resetting my phone but saw some apps preinstalled from the company remained and all the apps that were downloaded from the play store were deleted..
The answer I got from searching the web was that I could make install an Android app to the system memory...does it make the app undeletable even after resetting or formatting the phone?
You can achieve this by making your application by Developing a Device Administration Application, follow this link http://developer.android.com/guide/topics/admin/device-admin.html.
you could only do this if you root your phone and place the apps inside system/apps.
However, if this is about your phone, why don't you use a password protector for apps, so nobody can access the app manager?
Removing a users choice to uninstall your app, goes against everything most programmers strive for. It's probably against the Google T&Cs also. And as already said, other than Malware or some dodgy virus attempt, there would be no practical (ethical) use for such an app, IMO.
I'm experimenting with Android and I want to know if the following is possible: can I modify/patch an installed APP using another APP?
I know it's possible with root access, but I was wondering about non-rooted phones.
The only solution that comes to mind is the following:
-Create copy of original APK from data/app/ folder
-Patch/rebuild it
-Launch installation of the patched APK
The user would need to confirm the installation, but in theory it would work right? Any other tecniques that I haven't thought of?
In case you're wondering, I'm interested in injecting different strings and other resources into existing apps to provide translations or other modifications (ex: cheats in games), without changing the source of original apps.
You are right, you can do this on a device. Smali/Baksmali can be used on Android, also the apktool should be callable (I have only tried smali).
A year ago or so I have tried to use smali on a device and autopatch the source output. There was some information on the net (which I'm currently unable to find, sorry) but it was very limited, at least someone showed how to use smali/baksmali correctly. I have abandoned this approach because I'm not that good at java and the resources on a phone are rather limited.
Another approach I thought of was to offload the actual work to a server somewhere in the net. But this has its very own problem as you need to transfer the files, you may need the framework.apks, and so on.
This is interesting but hard stuff, you need to decode/parse/patch/rebuild apks and this has to be reliable. When you fail, the worst thing is that the users phone is broken (I wanted to modify critical system apks, bad idea ;)).
Better if the reinstall is seamless and for that you need: INSTALL_PACKAGES permission.
Now, INSTALL_PACKAGES android:protectionLevel is "signatureOrSystem" which means the app needs to be signed with the same certificate that was used to sign the system image.
Now to sign one's app with the same certificate as the one used to sign the system image might seem like a difficult if not impossible task since vendors may not be to willing to let other's use their certificate. Then again, some might want your app included in their system image. In any case it doesn't matter per sey since it's Android and Android has a ROM market.
Android ROMS are more and more synonymous with the general 'workings' or 'features' of Android. It is something that Android users come to expect. There are ROM manager apps available on the Android market that will list and install ROMs etc..
So in essense for an app to gain the INSTALL_PACKAGES permission one can make their own ROM, OR, work with the people who make ROMS and either have the app included with the ROM or use the certificate used to sign the ROM's system image to sign the app.
Again it is entirely possible that a vendor include the app in their "firmware" (system image). You would have to approach them.
:)
if both are your app use .content provider to share data between apps.and if other app is from another developer then you simply can't modify the app.