I want to remotely wipe email only (not factory reset) with/ without Device Administration. Is it possible?
Note: The user may use any type of mail client.
After reading docs, and as my experiences, I think without a factory reset, you can't.
Unless the user is running under root account, you can find all other apps' data and wipe it. The hard part is "any type of mail client". There will be some apps you don't know of. And maybe some apps store data internally (device's memory) or externally (SD card…).
In any case, without factory reset, Device Admin can't help you.
Related
I'm building a simple Android application for my self. It is a simple password manager where I can store all my accounts. I just want to know if is it possible to hack or extract the data of Android app even if it's offline?
Thank you
Are the password hashes stored server or client-side? If the passwords are stored client-side, then yes, it is indeed possible. If the passwords are stored in plaintext, all the better for the attacker who has local access to the device.
My hope would be that you used symmetric-key encryption on the passwords which can only be decrypted with your master password utilized as the key and that you minimize plaintext exposure even within memory.
No one can transfer data to a remote server when the device is offline, but there are other possible ways considering your problem like,
Create a program to collect data from your database and send it through SMS (Considering passwords are textual data and small in size)
Create a program to collect data and stay in low profile and send them to a server when the device became online
Technically possible, But don't worry, chances for someone doing something like this is very low,
Go with your idea and encrypt data if you can to avoid easy stealing.
Happy coding :)
I would always assume yes with these kind of things. I would recommend looking into encryption of the data, a simple splash screen for an app password would work. I would make sure that the private encryption key something that can only be generated by that password entered at the lock/splash screen. Other than that, on stock roms you should be alright but obviously dont leave fishy apps on your device. If I was building this I might even look into 2 factor auth via nfc as well.
Yes, It may be possible!
Internet is not only thing which connect port or sharing of port,
There are many options like bluetooth or Hostpot...
Through which we can connect two device jz we have to write program which access these tools and gives command to victims phone....
For online
We have msfvenom payload to hack any android...
Its quite easy process in this process we forword victims phone port to attacker os....
Its so easy
For offline services we can hack device using BT remote control or same as with wifi...
I'm using SharedPreferences to save login info that used for HttpPost requests.
The problem that I use directly this data to authenticate users with php, so if anyone create another app only for steal my app users SharedPreferences(username, password), how can I stop him?
Your shared preferences are placed on internal storage by default. This is private to your app. Other apps cannot access your preferences file. The exception is if the user has rooted their device and runs the other app with superuser privileges.
#GagelGagel: yet again: application ran with administrtive privileges can do anything. Literally - anything. You can try to protect from stealing data by encrypting informarion with your own key and your own flawor of encrytion algorythm - but it is more reasonable to sya "if you have rooted your phone and got your information stolen, it is your problem". Specifically to your question: no, SQL does not provide much of protection againd malitious software on the rooted phone.
I'm planning on developing an app and I don't want it to be 'online only' so I want to be able to store data internally on the users device, app data. Is this 'secure'? Or can people fiddle with the app data? Is there ANY secure offline way to store app data?
I tried reading http://developer.android.com/guide/topics/data/data-storage.html#filesInternal which suggested it is secure, but somewhere else someone said rooted phones could disregard this. So is it secure or not? -If so is there any way to 'block the app' if the phone is rooted?
On a rooted phone the user can read the data.
With JellyBean Google tried to encrypt application data to prevent that from happening, but this feature is disabled for now because it broke too many apps.
Some ways of rooting the phone you can detect, for instance using roottools.
But there is no reliable way of detecting all the ways in which a phone could be rooted.
And even if you could make sure the phone is not rooted, what would prevent the user from rooting the phone after you downloaded the data?
Be aware that even if you don't download the data to a file: Using a rooted phone the attacker could still transmit the .dex file of your application to his PC. He can then decompile it (for example by using dex2jar and jd-gui) to gain information of how to read the data from your server.
Thus any info your app accesses from the server an attacker can potentially access as well.
I have faced the same problem but found encryption is the only mechanism to handle the situation but ofcourse that increases burden on the device but if that is mandatory then only option is using Encryption or Steganography
Is this 'secure'?
It is secure from other apps by default.
somewhere else someone said rooted phones could disregard this
Users who root their phones can run apps with superuser permissions, and those apps can access any file on the device.
Hence, data on internal storage is not secure from the user, because it is the user's phone, not yours, and hence it is the user's data, not yours. Most users will not touch your data, but all users have the right to, if they take sufficient steps to do so.
If so is there any way to 'block the app' if the phone is rooted?
There is no rock-solid way to determine if a phone is rooted.
Can an application be remotely uninstalled/deleted?
We cannot uninstall an application without user intervention, therefore uninstalling/deleting an application remotely is not possible.
This is actually possible but you cannot do it. Only Google can (to remove malware downloaded from the Market I guess)
If you want controls like a remote wipe of data/ encryption though, read about Device Admin
I am creating an app where the user does some things during a game, and these actions are logged in a SQLite-database. At the end of the game the app presents these logs through a screen, which are read by the game administrators (like, physically read by the game administrators watching the screen). Is there some ways for the contestants to manipulate the database, and if not, what security measures prevent them from doing this?
The database is stored under /data/data/your.applications.package/databases. Normally this location could only be access by the user the Android OS created for the app. No other user is able to access this location unless the device is rooted. Then any user can access any location on the phone and manipulate the data.
So if you want to prevent users from cheating you need some way to check if the values in the database are untouched. Perhaps you can store some kind of fingerprint on a server to check this.
Yes, you can do it programatically, as long as you are the developer. Here is the Android docs for SQLiteDatabase.
Here are some links for working with SQLiteDatabases programatically:
From Android docs
From a blog
From another blog
The SQLiteDatabase in an application should be 'sandboxed' to that specific application, meaning that no other application should be able to get to that data, as long as the developer didn't provide access to it with a ContentProvider. So to answer your final question, no, there should not be a way for contestants to manipulate the database, except in ways that the developer has already allowed.
Yes, users can examine and change the database when connected over USB via ADB: http://developer.android.com/guide/developing/tools/adb.html#shellcommands
Update:
This only works on rooted devices or official Google Dev devices: Why do I get access denied to data folder when using adb?
Still, this would allow users to access database and change game results. So you can not rely on databse not being accessible..
Unless you issue the devices to users and you carefully watch what they do with them, to be secure against anyone determined, you need to digitally sign the entries in the database using a mechanism hidden in strongly obfuscated application code. And even that only makes it harder.
Note that using a server does not help unless a key part of the game logic itself is implemented in the server; if the user knows how to fake your signing mechanism to write fake database entries, they can also send fake reports to your server.
You can use Proguard to obfuscate your code.
Also have the database be unique with a particular id according to the device id with some sort of server callback, to validate the database.