I don't want to do advertisement but sample app for behavior of my application is ESET antivirus.
One requested feature of my application is that for uninstall is needed password. I add my app to device admin list and it is not possible to uninstall it now. But you can Deactive app as admin device. Whan you go to Settings > Location & security > Select device administrators and you try to deactive ESET Security it starts the activity (I guess from DeviceAdminReceiver.onDisableRequested()) which is waiting for password and your mobile is locked. Home button, back button and even SwitchOff button doesn't react=>
How it is possible that Home,Back,SwitchOff and Camera button doesn't react?
EDIT - second question removed
(After I took out battery from my phone - ESET wasn't device admin too)
Thank you for ideas.
Ok, sorry ESET but this feature looks very interesting so I took a look at decompiled sources :)
The basic workflow is the following:
com.eset.ems.antitheft.receiver.AdminReceiver subclass of DeviceAdminReceiver is registered for broadcast actions DEVICE_ADMIN_ENABLED and DEVICE_ADMIN_DISABLED
When device admin is disabled com.eset.ems.antitheft.receiver.AdminReceiver.onDisabled() is called
com.eset.ems.antitheft.LockActivity is started from the AdminReceiver.onDisabled()
LockActivity shows com.eset.ems.antitheft.LockingDialog where the most blocking magic happens
As for the Home and other button block antivirus do the following trick - it uses ActivityManagerNative from Android internals. To keep LockActivity at the top of all other activities it starts a thread which contsantly calls ActivityManagerNative.moveTaskToFront() with LockActivity task ID. Prior to API level 10 reflection is used to access hidden moveTaskToFront() from ActivityManager class and after API 10 it just uses ActivityManagerNative code from Android codebase to access it.
Also both LockActivity and LockingDialog call ActivityManagerNative.closeSystemDialogs() method many times. Probably this is done in order to cancel system dialog which arises after power button long press.
As for the stopping execution of DeviceAdminReceiver.onDisableRequested actually I didn't notice anything special about it in the code. It only starts the activity after device admin is disabled and that's all. And on my phone device admin was disabled after I took the battery out.
Related
I am trying to make my feedback app to support fully kiosk, I have tried a lot of solutions but Nothing is completely satisfying my need. Here are the things that I found yet.
1. Make my app as Device Admin/Owner App(Lock Task) -
If we follow this link/procedure https://developer.android.com/work/dpc/dedicated-devices/lock-task-mode, some limitations are there as follows -
a. We have to factory reset all the devices where Feedback app is installed, follow some steps to make it as admin app(launcher app).
b. Installation of the app will be possible using the command line, each installation will take some line of code through cmd, which means for installing a person has to go there with the computer and connect the device with USB and then install the app using commands.
c. Update on an app will also follow the same procedure (Couldn't be performed using google play store)
d. In this case, end-user will never be able to exit from our app, restart the device would also launch the same feedback app every single time.
2. Programmatically screen pinning + programmatically volume and power button controlling. (https://github.com/mrugacz95/kiosk)
a. In this, we will make the app in screen pinning mode where all the three bottom buttons(Overview, home, recent) will be hidden/disabled. and same with the power key and volume keys.
b. So As soon user clicks on kiosk mode, a screen pinning system generated prompt would be shown to user But the biggest disadvantage of it is that app would be unpinned/unlocked as soon as the user presses overview+recent buttons together.
3. The third Case is, where all the keys are controlled including power+voulme+back+overview etc.
Only pressing home will make the app to go on the background and within seconds it will again come foreground.
So all I found up until now, is not very satisfiable.
One more Question-
Is this something to be fully controlled by MDM(Mobile Device Management)?
Any help is appreciated.
1. Make my app as Device Admin/Owner App
a. A device owner can only be installed on a newly initialized device (before an account is added). I believe this is by design : A device owner can completely lock the device down, you don't want a malicious app to be able to seize the phone of an unsuspecting user after a few "I agree" popups.
b. You don't need to install it using adb. The simplest provisioning method is via NFC : While the device shows the very first screen of the setup wizard, touch it with a tag (or another device) containing the provisioning configuration, most importantly an URL where the apk can be downloaded and a WiFi config.
Another method is via QR code (Android 7+) : tap 6 times the first setup screen. It is a bit less convenient than NFC because you usually have to provision the WiFi manually.
c. A device owner can be updated like any other app. As it can itself install or update applications without asking the user, you can implement a fully automatized self update mechanism : check for update / download / update.
2. Lock task / screen pinning
Any application can programatically enter lock task mode. How it happens depends on whether the application is white listed by a device owner app (possibly itself) :
If not, the user is prompted and must accept, they can also exit at any time. This is basically the same thing as screen pinning.
If yes, there is no popup : the user can not decline to enter, nor exit, the lock task mode.
Additionally a kiosk application can act as a launcher. A device owner (again, possibly itself) can set it without user intervention
Is this something to be fully controlled by MDM(Mobile Device Management)?
While device owner apps are usually DPC connected to a MDM console of some sort, this is not a technical requirement. How you control it is completely up to you. (I hope I understood correctly the question)
Overall, I think that the only reliable way a device can be locked in kiosk mode is to use a device owner app (separately or included in the kiosk application). The setup via NFC or QR code is actually faster than a normal device setup. It can also protect against safe mode reboot or factory reset. The only real constraint is that you can not deploy this kind of application on existing devices without wiping them first.
Make my app as Device Admin/Owner App(Lock Task) -
a. If you are making it an 'admin app' this means you have signed the device image correct? Therefore you control the full flashing of the device - you can do anything in this scenario.
b. You can actually also do ADB over WiFi after you set it up the first time
c. You can update your apps from the playstore - even launcher applications
d. This fact is the whole point of Kiosk mode. Users should not ever be able to exit the application. Only you can exit, either with a remote command or with a invisible touch combination (for example touching each of the corners of the screen in sequence twice, or other 'secret unlock code')
Programmatically screen pinning + programmatically volume and power button controlling. (https://github.com/mrugacz95/kiosk)
b. This is the opposite of 1d, it is not clear what you want if you want neither.
The third Case is, where all the keys are controlled including power+voulme+back+overview etc.
This is also the opposite of 1d, it is not clear what you want if you want neither.
We need a few more details on your deployment scenario for this app to help you out further.
My goal is to make my app unkillable.
Application has admin permissions granted.
I have one activity and one service.
Applionation cannot be uninstalled while Admin permission is active (thats good).
Service is auto re-creating. That's also correct.
Unfortunately on Android 5 - Lollipop user can click on all apps button - then go to Task Manager and simply END my app without any problems. After that service is destroyed for good (activity too obviously...)
Is this a way to prevent that?
1) Xposed. At the cost of execution speed and dependency on the TaskManager that you will have to reverse-engineer a bit...
2) USER_PRESENT and friends. Your application can register a BroadcastReceiver and re-start on events. That is, it will be killable, but it will restart.
I think you are interested in something like a kiosk mode: displaying a single app and preventing to break out from it.
There are various tutorials out there. This one is quite good:
http://www.andreas-schrade.de/2015/02/16/android-tutorial-how-to-create-a-kiosk-mode-in-android/
Edit: if your main target are Android 5.0+ devices you can also make use of screen pinning. http://developer.android.com/about/versions/android-5.0.html#Enterprise
I'm trying to start an app upon the first boot of the device before the keyguard appears. I need to ensure the first thing the user sees after the boot animation (which I've also changed) is this app. My app is just three screens of text in fullscreen mode with a next button in between them.
I realize that for most cases, this would be a terrible user experience. However, the phones we're shipping have a very specific purpose and because of this I need to meet the following criteria:
my app needs to be the first thing the user sees (after the boot animation of course) when they take the phone out of the box and power it on for the first time.
after the first boot, the phone should function as normal (i.e the keyguard should appear upon bootup instead of my app).
this only needs to work for lollipop since that's the android version we're shipping.
I can modify the Android framework if needed, but a solution where I don't have to is preferred.
My (Failed) Approach
Create an app that starts upon boot. Have the app dismiss the keyguard as the first thing it does.
The problem I found with this approach is the keyguard code is called before the app initialization code so the user sees the keyguard briefly and then sees my app.
A Possible Solution
I think the best way to do this is to add code in the framework to call my app before calling the keyguard. I'm imagining having a boolean that's used to keep track of whether it's the first time the device is powered on. If that boolean is true, open the app. If not, open the keyguard.
The problem is there's a lot of code in the android userspace boot process and I have a quickly-approaching deadline (don't we all?). How can I modify the framework code to show my app before the keyguard?
If there's a better way, please let me know that too!
Is it possible to have an application run on a device in such a way that it is the only application that can ever run and also prevent the user from using the operating system at all? Tapping on the Home key or Back button would not exit the application and allow the user to have access to anything. If the device boots up, only this application would run.
This would be desirable in situations where devices are installed at a business for point of sales purpose or possibly where the device acts like a terminal in public places.
You can achieve what you're describing by writing your app to replace the home screen (Launcher). From there, you control what other apps will run.
The Android SDK has a working Launcher project you can start from.
Be careful to allow some method of running a more powerful app (even if it's just enabling ADB access) -- otherwise you could leave your device in a state of needing a factory reset before it can be modified.
Yes, you can override the back and home button behaviour.
Start app, override all buttons, and the user cant exit the app, evil, but should work in your scenario.
info here
Okay, I'm pretty sure that this is not possible but a client had asked me to do so in one of our Android application we developed for her.
What she had wanted is that if our application is running, and user navigate to:
Settings > Manage Application > [Our Application]
, the button for "Force Stop" is disabled.
Is this possible? If it is possible, could someone point me out which way I should walk, or if it is not possible, how, using a valid argument based on facts, should I break the news to her.
Update:
She just sent me a screenshot that, in her opinion, validates her request that there's an Android application that disables "Force Stop" button. How am I supposed to explain this to her?
How to disable the "Force Stop" button
Short answer: Use the Device Administration API.
How to explain this to my client?
Show this to your client. It is a nice slideshow providing an easy-to-understand overview of the Device Administration API and its uses.
How do I demonstrate that it works?
Yes, back to your job. Use the API link provided above and the Api Demos included in Google's sample
collection to figure out how to integrate this into your app.
Build the demo and run it on your device.
Choose API Demos->App->Device Admin->General->Enable admin.
Choose Activate once the Device Administration API prompts you with its enabling screen.
Exit the app and attempt to manage the app via your device's settings menu (specifics for this step varies by device).
When viewing the Api Demo's "app info" screen, you should see both Force Stop and Uninstall are disabled.
How do I do this in my own app?
Review DeviceAdminSample.java in the Api Demos app for inspiration. You will need the following:
The following code is what brings up the activation screen:
// Launch the activity to have the user enable our admin.
Intent intent = new Intent(DevicePolicyManager.ACTION_ADD_DEVICE_ADMIN);
intent.putExtra(DevicePolicyManager.EXTRA_DEVICE_ADMIN, mDeviceAdminSample);
intent.putExtra(DevicePolicyManager.EXTRA_ADD_EXPLANATION,
mActivity.getString(R.string.add_admin_extra_app_text));
startActivityForResult(intent, REQUEST_CODE_ENABLE_ADMIN);
However, there are a few other pieces you will need to get this to work:
A broadcast receiver that derives from DeviceAdminReceiver.
Entries in your manifest file that refer to the above broadcast receiver.
Permissions in your manifest for using the Device Administrator API.
An xml file stating what policies your app can access.
All of this can be found in the above links. Good luck with your client!
This is not remotely possible, for great reason.
You should tell her that making this possible would be a huge security disaster. Imagine what would happen if you could create apps which just ate at your processor time by holding a wake lock, and you couldn't kill them. This would be horrible.
In general, if you're wondering if you can modify the "extra-app" behavior of the device, the answer is usually *no*. You should take the viewpoint that nothing on the device is yours to control besides your app and (to a limited extent) the resources to which you're granted access.
No other app has this kind of control, so it's not reasonable to expect that your client's would either. However, the fact that she's asking for this control usually implies something else: that they are worried the user will stop the app and then something bad will happen (the locations will stop being synced, data will stop being sent out to the net, etc...). This would imply that you should look into improving the resilience of the app to different situations. Remember, your app can even be killed off at any time by Android (for example, in the case of low memory).
I think the device screen shot has confused us. Even I can show my application that is installed on the device and the "Force Stop" button is disabled. Where as I have not done any thing specific to that.
The reason of the "Force Stop" button being disabled is, that particular application is NOT running currently. Hence there is not meaning in having the button enabled.
#Rhama you can ask your client to start the application once, press the home button of the device, and goto the settings and see. Surely the "Force Stop" button will be enabled this time.
Regards,
Rajan
From ICS, disabling Force stop is possible. If your app has an active device admin then the framework will not allow user to kill the process
Hey I think it is quite possible to disable the "Force Stop" button...check Kaspersky
Parental Control from the market it is doing the same.
Its service is running in the background then also the force stop button is disabled.
The application service is running in background
you can disable the forcestop when the app has admin rights. but soon as those admin rights are revoked then it is back to normal. however in android 4, an application called applock (domobile) was able to prevent that by asking a password when you tried to change admin rights. It could only be done by installing an extra program that applock asked you to. And I guess this might even be seen as a security flaw, infact it no longer works in Android 5.