I am wondering if it is possible to launch a 3rd-party application from within my own application. I understand that Android runs in a sandbox, and so I am not too optimistic about this being possible.
I read the following here: http://source.android.com/tech/security/index.html:
"This sets up a kernel-level Application Sandbox. The kernel enforces security between applications and the system at the process level through standard Linux facilities, such as user and group IDs that are assigned to applications. By default, applications cannot interact with each other and applications have limited access to the operating system. If application A tries to do something malicious like read application B's data or dial the phone without permission (which is a separate application), then the operating system protects against this because application A does not have the appropriate user privileges. The sandbox is simple, auditable, and based on decades-old UNIX-style user separation of processes and file permissions."
Essentially, I want to launch some 3rd-party application that can scan and decode a barcode, and then have that data available to my own application. As I said, I doubt that this is possible, but surely someone must have encountered this before, and maybe found a compromise.
Yes it is possible if you have appropriate permissions to do that. Lot of applications use that feature to avoid writing the feature in their own app. Look into content providers as you are asking another content provider to scan barcode an provide you the data.
http://developer.android.com/guide/topics/providers/content-providers.html
Related
Delete other app's cache folders, I was looking at other questions and it seems u can't use IPackageStatsObserver anymore, so any way to do it now?
Short answer: (In most cases) No, It is not possible
Longer explanation:
If you take a look at the security mechanisms of the android 12, you will notice that every one of the apps runs in it's own separate sandbox
Android assigns a unique ID to every app and runs it in separate processes.
In terms of Linux, each running app is a unique user with access to personal space on the disk. Without necessary permission, it cannot access/interact with another user (app).
This controls the access of each app and prevents any malicious app from interacting with other apps or the OS.
That sandbox wraps all of the application data and prevents other apps from reading/changing it:
The kernel enforces security between apps and the system at the process level through standard Linux facilities such as user and group IDs that are assigned to apps. By default, apps can't interact with each other and have limited access to the OS. If app A tries to do something malicious, such as read application B's data or dial the phone without permission, it's prevented from doing so because it doesn't have the appropriate default user privileges. The sandbox is simple, auditable, and based on decades-old UNIX-style user separation of processes and file permissions.
However, there are some ways to alter other application's data:
if you are a developer of both of the apps you can make sure the sharedUserId is the same (making the ID the same, and both of the apps would run in the same sandbox)
using a rooted device
edit: you might an even more technical explanation here :)
Cheers!
I am new to android development. I came to know that Intent and Intent filters can be used to share data among applications but I wonder if it is possible to design an android application which can extract some specific information from other applications while running in the background. For example, if the user is using whatsapp it may get know the call drop rate or if a video is being played at user terminal in YouTube, Facebook or Netflix, it will get buffer playtime, video bitrate etc. I will be very grateful if answer to this question is provided with an example.
No, mostly no.
However, as wrote Tim Castelijns, if the 'target' app allows it, like via a content provider, its possible.
On a rooted device, after long hours of reverse engineering the targeted apps, it MAY also be possible to get some info. Only from rooted devices too.
Other case is you write several app and design that they can communicate together, like via intents, content providers.
There is also possible to get the list of running apps (user must permit it)
In Android, each application is running on its own "sandbox" that is supposed to be isolated from the rest of the applications running on the device.
In order for an application to communicate with other applications, the Android framework supplies several mechanisms to send/receive data to/from other applications: Intents, IPC (AIDL), Content Providers etc...
Each application that wants to expose its data to other applications on the device needs to implement an interface using one or more of the mechanisms described above.
That means that if an application doesn't implement an interface to expose its data or inner workings, it won't be possible for another application to access this information.
Keep in mind that some applications choose to save some of their data on publicly available disk spaces (i.e. a camera that takes pictures might save them on the SDcard that is accessible by all applications). In that case, if you know what to look for, you can tell certain things about certain applications.
In addition, the Android operation system exposes the states of several global settings such as: Device's connectivity state, Battery state, currently opened Bluetooth interfaces, running applications, last executed apps etc...
This configurations might give you an overall idea of what is happening on the device.
As indicated in other answers, you're mostly limited to what apps will explicitly make available to you; in fact, well-engineered apps will generally try to prevent "information leakage" beyond what they actually want to make available.
Some other people mentioned Content Providers but the one other construct to look into is Broadcasts. If an app broadcasts an intent locally (i.e. is using the Local Broadcast Manager) you won't be able to see it but if they're using a "system-wide" broadcast or receiving another "system-wide" broadcast you can receive the same event.
I have a requirement to develop an application which will monitor the usage of the phone cameras and record information about when/where a photo was taken. I am aware that this information is typically recorded in the image metadata but I have a need to add additional information to this and record it separately from the image.
In essence, I would like to know:
Any time the camera is opened, closed, activated (brought to front), deactivated (user switches to another app)
Any time the camera saes a file; either a photo or a video
Know the above regardless of whether the camera was launched directly or via another app
Know the above regardless of whether the caller used an intent or the camera APIs.
Are there good APIs to use for this? Is it possible to replace low-level interfaces to act as a man-in-the-middle? Is it possible from Java or would this necessarily be in C/C++?
At the moment my only solution would be to monitor the logs in a continuous service to identify everything I could from the above and implement a FileObserver to check for file creation/modification times.
Are there good APIs to use for this?
There are no APIs for this, for obvious privacy and security reasons.
Is it possible to replace low-level interfaces to act as a man-in-the-middle?
On a rooted device, perhaps. In a custom ROM, definitely. In an ordinary Android device, no, for obvious privacy and security reasons.
would be to monitor the logs in a continuous service to identify everything I could from the above
You have no access to logs, other than those generated by your own process, on Android 4.1+, except on rooted devices or from a custom ROM.
and implement a FileObserver to check for file creation/modification times
There is no requirement for a camera app to store a file in a place for which you have filesystem access.
My company has some android apps on Google Play that are occasionally targeted by malicious automated tools that scan and launch all activities in the apps. (I was able to detect these scans because they generate a lot of crash reports.) What I find most worrisome about these scans is that they are able to make explicit intent calls to non-exported activities. That is, they are calling activities have the exported attribute set to false and don't have <intent-filter>s.
Are there any additional steps I can take to prevent non-exported activities from being invoked outside my app? Are there any other security measures that I should take?
One other interesting tidbit about these scans. They all seem to be run from an emulator. Perhaps they have some mechanism to make the intents look like they are coming from inside my app. If this is the case, is there some way I can protect against that?
As far as I know, there is no way to control over the activities occurring in an app in android phones unless the application that you want to log/monitor is written by you.
I wonder is it really like that or is there any possible way to do this? For example, is it possible to control over emails which, let's say, who I sent an email to in an android phone?
It is not possible to "just log it". Some events are possible to catch in broadcast receivers in a logging application. The user will get notified by particular event sniffing when installing such an application, by approving the permissions request.
It's generally possible to add instrumentation for security purposes to apps where they interface to the sdk api's, either by modifying the platform (rooted phone) or by decompiling, modifying, and recompiling the app using apktool.
possible of course does not mean trivially easy.