I am aiming to find out different security concerns that can occur on Android devices .One of them is the Keyboard Interception
Following are my findings
a) If i am not using a third party IME (keyboard), i am sure that no application can intercept the keys that i have entered.
b)If i am using a third party IME app, this app can get whatever i have typed and may forward it to some other app/ upload it to the net etc.
Both above points are valid for a Non Rooted as well as a Rooted phone.
If i am using the standard keyboard (Android or that provided by firmware), it is impossible to intercept key events unless the firmware is modified
Links i refereed are One and Two
What will happen if i plug in an external keyboard like we do on a Galaxy tab 2. When we type using this keyboard on the EditText on Activity at top, is it guaranteed that no one else can intercept the key presses(Rooted/Non rooted phones and without Firmware change)? I hope that the IME security rules given in Android Documentation here under Security Section apply for external keyboards too.
I recently found the DoMobile ShareKeyboard app on Market, it enables input through Computer keyboard using Wifi/GPRS on an Android device. Here obviously user is using a 3rd party IME so its completely insecure in cases where security is a major concern.
Please correct me if i am wrong in the points i mentioned.
When we type using this keyboard on the EditText on Activity at top, is it guaranteed that no one else can intercept the key presses(Rooted/Non rooted phones and without Firmware change)?
Yes, if the OS is the one handling the keyboard.
a)You can't be sure. The original keyboard came with your device was made by your device manufacturer but might be modded until it got in your hands(by operators, resellers, rom modders, or just your boss)- its incredibly easy.
From my personal experience, firmware developers usually dont remember to clean debug information from their IME app, and all your keys(and even touch input) is printed in the logger.
b)Actually this might just be a more secure solution. you get it from Google Market, so you know nobody touched it in the way. These apps are also made by people who's expertise is building IME and therefore they'll know better how to improve its security and performance.
If your device is rooted you have no chance protecting your privacy at all, apps which will use root permissions will be able to read your keys from the lowest level possible - like /dev/input/eventX kernel input device not event talk about reading the Android key dispatcher which is also easy.
External keyboard is not different from virtual keyboard, its keys can be intercepted via the active IME app.
If your security is important to you, use official firmware, dont root your device, and use a good proven IME app from the Market which have security considered.
Related
To explain my question, a bit of info about my test setup might help. I have a Moto Z, with a Moto Mod projector (my spoilt son's christmas present). I've now added a gyroscopic probox2 remote/gamepad, so he can theoretically use his phone while projecting, for films/games, without tapping the phone (which is behind him).
I've connected it and it works to an extent. It works in the core Android UI (home screen, app launcher, settings etc). However it doesn't work at all in most APPs. It works in Amazon Prime, for example, but not in Netflix.
I was expecting it to work pretty much seamlessly, as it would on Android TV boxes, even though I'm connecting it to a phone.
I've noticed it seems to identify itself to Android as a keyboard, rather than a gamepad, which makes sense since the gyroscopic "air mouse" functionality wouldn't necessarily make sense on a gamepad. The gboard popup disappears when the remote is connected, even though the remote itself doesn't have an actual keyboard. The remote allows you to switch between a sort of gamepad mode and a mouse mode, although in both cases identified as a keyboard.
Because it doesn't work out of the box in Android, and I think somebody would have noticed on an Android TV if it didn't work with Netflix, then I'm assuming Android TV developers do something to force compatibility from APPs that aren't allowing input from a "keyboard".
Possibly a service that detects "keyboard" presses and simultaneously triggers a "gamepad" press?
That's how I would probably approach it, and I assume that's how the non-root "button remapper" type APPs approach it, because they can't interfere with the actual button mapping file... but it might not be the best/easiest way?
Any ideas?
Having looked into this further I think I understand.
APPs for Android TV are maintained separately from their mobile counterparts (https://www.apkmirror.com/apk/netflix-inc/netflix-android-tv/netflix-android-tv-3-3-2-build-1530-release/netflix-android-tv-3-3-2-build-1530-android-apk-download/) and it's not possible to side-load them without getting hacky.
So that's basically the answer - the approach in the Android TV industry to ensure compatibility with keyboards, mice, and media remotes etc, is to create separate versions of apps for Android TV which support them. On mobile, presumably developers are mainly interested in ensure physical keyboards work in text input areas, rather than in all areas in unusual cases like mine.
Which doesn't help me at all.
The not so good ways of doing it... There's possibly an approach of creating a virtual gamepad, mapped to the key presses of the physical keyboard (i.e. remote). An example of an app which appears to do just this, requires root in order to do so https://play.google.com/store/apps/details?id=com.locnet.gamekeyboard2&hl=en_GB
I've been reading some about the Stagefright exploit and I wish to know if it is possible to gain root access on an Android 4.4 or 4.0.4 device with this exploit.
The wiki page states
" allows an attacker to perform arbitrary operations on the victim device through remote code execution and privilege escalation". What does the "privilege escalation" mean in this case?
As quoted below from here:
As such, a hacker could gain control of the device before the victim even knows about the text message, and even if phone owners find the message right away, there is nothing they can do to prevent the malware from taking over their device. The hacker would have access to all data and the ability to copy or delete, and would even have access to the microphone and camera, all pictures on the device, as well as Bluetooth.
It was shown to be possible.
A demonstration from the wikipedia page you mentioned was provided. There are safety measures in place to make it hard.
The ASLR is something since ICS that makes it hard to accomplish.
The user can also turn off automatic processing of MMS in the default handling application. This will mitigate background attacks and give them a chance to delete the message.
The potential will also depend what activity was desired to be accomplished and what strategy would be employed. Thank you. Good day.
I'm making an Android app that is used as POS in some business. In order to gain attraction the app is given with the phone, an Internet line and the app. I want to restrict phone calls, whatsapp, SMS and so other. I want the phone to boot directly in my app.
I was looking into Cyanogenmod but couldn't find any information on how to do this.
I mean, isn't it my hardware?
EDIT
I'm open to use other OS.
My device is a Samsung Trend initially.
I've read that you can replace an .apk and start your own app instead of the android menu (I know the user can then change the .apk, so still, it seems the better solution, anyway I couldn't find any information on how to do this)
I'm not 100% clear what you're asking for (you're giving away an entire phone with your app!?) and you didn't mention the phone model or Android version you are using, but there are apps out there which allow you to restrict a phone's ability to run or access certain features. (To find more, just search the Google Play Store for "kiosk".)
Android 4.2 on tablets introduced multiple user accounts, which were expanded in Android 5 Lollipop to phones with "profile accounts", which can be used to restrict access to apps and services. Screen pinning is another feature you can use to lock a particular app to the screen so that it can't be removed without entering a password.
It is your hardware, and as such you can also take more extreme measures by modifying the Android frameworks directly to restrict functionality, by say, removing the dialer. But if you're actually giving away phones with your app, there's always a possibility the new owner will restore the functionality and/or replace the ROM completely.
I'm planning to deploy an app on my android smartphone which is supposed to be used by multiple other persons. Now of course I do not want them to do things with the device they are not supposed to do so I informed myself about several different ways to make it as safe as possible (Lock-down apps, Kiosk mode, Mobile-device-management, Code-tweaks and so on).
I found some solutions that look really promising but they all share the same problem that a user could just restart the device and boot it in safe-mode where those helpful apps won't be started. However, there is one exception: I've installed a MDM app called maas360 which somehow manages to apply the restrictions that I defined even in safe-mode, for example by blocking access to the menu settings. How is that even possible? The thing is just that this is not a free app and it offers a huge variety of functions - overall it seems to be a bit excessive for my goals.
So my general question would be: is it somehow possible to restrict access to the safe-mode somehow? Maybe like a password? From what I understand it is not even possible to set a system password for Android devices that you'd have to enter once it boots (except if you set up a password for unlocking the screen first which would then be the same one... very redundant).
Disabling physical switch of volume down (in case of samsung devices) will stop access to safe mode on device. I dont find any other way to do so.
Some background information:
I currently sell a niche software product for Windows PCs. Some of my clients are expressing heavy interest in rolling out similar functionality to their Android and iPad users. I am not an Android or iOS developer. My software solution restricts user access to a computer by disabling the screen while some specific hardware is giving a certain signal.
The essence of my question:
Is is possible, on either Android or iOS, to programmatically restrict access to the device while an app is in a certain state.
This could involve any of the following:
Preventing the user from changing apps or returning to the home screen while the app is in a certain state.
Locking the screen while the app is in a certain state.
Turning the screen off (or completely disabling the screen) while the app is in a certain state.
I imagine this isn't something "normal" apps could do - the malware implications are quite horrible. For my purposes, it is acceptable if some certain administration actions or special install steps are taken.
For regular (I will later decode meaning of word regular) Android device it's impossible, since always there's a possibility for end-user press magic button "HOME" and you can access to any device features. HOME button can't be intercepted by any application - it's low-level restriction.
Under regular I mean Android device with standard kernel. But there's a possibility to hack kernel and rewrite those restriction related to HOME button, for sure after that you'll be solely responsible for all kind of support, update and so on.
About iPhone: it's not my field - I don't know.