Can any one help me out how to do MDM Integration in Android from client and server prespective?
I want to do an enterprise application which having lock and wipe functionality. I have no any clue of workflow of MDM in Android.
Thanks.
Android Device Admin API will do both things what you want to do (lock/wipe device and even more). An example is given and also you can find this complete source code in your Android SDK directory.
Now as client server perspective:
You have to implement your task (lock and wipe) in your android application (in client, i.e. known as agent). Now your application should be capable to communicate with your server or vice-verse.
I am 100% agree with adamk as he said "Remote controlling your application remains exclusively your responsibility - the Android framework does not provide (or enforce) any solution for that."
And Android gives your this feature too, as adamk said to use C2DM, he was right but now C2DM is deprecated, and GCM has been introduced, “a service that helps developers send data from servers to their Android applications on Android devices.” The service can send a message of up to 4 kb to an application on an Android device, most often to tell the application to retrieve a larger set of data. GCM will now handle all queueing and delivery for messages to Android applications.
You should read how to use GCM, and you can find sample code too. Download GCM Android Library from SDK Manager
and check android-sdk/extras/google/GCM directory
After establishing successful communication between your agent and server, evaluate msg in agent sent by server and perform desire action (lock/ wipe). This is again up to you how you define your message payload and how you handle those payloads in agent application.
Here is an article about Android MDM.
Happy Coding :)
You can use DeviceAdmin to gain privileges for managing the Lock preferences and performing device wipe (among other stuff).
(The user must add your app as a device administrator beforehand)
Remote controlling your application remains exclusively your responsibility - the Android framework does not provide (or enforce) any solution for that.
You may want to consider using Google's C2DM API, which is a convenient push mechanism.
As mentioned in the above answer, DeviceAdmin API can help. If you are using an Android device, you might know about the Android Device Manager (the web-based version) which allows you to manage your device. Basically, you can track, locate, lock, and wipe your device, some of the basic features of an MDM solution. So, in coding (though I am not a coding expert), you need to get access to the Device Manager (I guess, using some listener codes, or notification access).
Apart from this, MDM allows creating policies and groups of users (which would be a part of the coding in the app itself), then pushing the command over the internet (or OTA) to the connected device.
MDM also allows managing Apps and Data on the device, for which, you need the app to get access to the internal as well as external device storage.
Hope this helps. Good luck creating your MDM software
Related
I recently got a security issue for the app i'm working for: The possibility to run on rooted devices. I discovered that is hard to prevent this situation. My first try was to implement RootBeer. Sadly, there are tools like Magisk Manager which can trick your app to not recognize the device as rooted.
After some research, i found that SafetyNet has been finally "fixed" so the app can't be used through Magisk anymore. To do so, i need to send to my server a JWS token generated using a nonce (received from the server, as Google recommends).
All good by now - my main problem is that my app can be used offline. A solution for this would be to verify JWS token locally, but that will open vulnerabilities.
I need your help to understand what should i do in order to prevent the app to be opened on a rooted device, using SafetyNet (or other way), on both online & offline mode.
Thanks!
I would suggest something more hybrid. You could use the RootBeer for offline usage and the SafetyNet for online.
I have recently started to develop an Android SDK that detects device's security. It has some checks such as Root detection, Mock location, VPN network, App is running in a sandbox and more to come) that may be crucial for fraud use cases.
So if you need something more detailed in your detections in order to determinate if it's suspicious based on the use case you could give it a try.
Of course any feedback for improvement is welcome.
https://github.com/AppSafetyTech/safesdk-android
I have a new project at hand where I need to make two android applications
1)Main Controller application (be installed in one device say its name be X)
2)Sub Child application (be installed in devices that need to be controlled by X )
So I want to get an idea/picture about how one android device like (2) can be managed fully(i.e. blocking applications or making them accessible for some interval / block calls / track location of user ) from another device like (1). So far I searched Google ,asked my seniors about the same but none was able to help me out.Found many scattered info (like need enterprise app to do this i.e use android management API or Device admin ) but not being able to get any clear idea about the work flow.
Thus now this the last place I can think of for helping me out with this work flow.
Reference
Update: Based on what #Fred said i.e. to use android management API (also based on the answers that he posted here) could we somehow have own custom web server and manage the interactions that EMM console does with all the child apps through our own API's(the same API's which we would call from the parent app.) ???
In other words instead of controlling form the EMM console, I would like to control those child application from another parent android application.
By FCM or Socket programming you can easily communicate with other app. Suppose 2nd app receive a call then 2nd app call a api of server about the information, then server knock 1st app by fcm or socket, then 1st app make a decision and submit the decision to server by API, And finally server submit the decision to 2nd app by FCM or socket.
You can check out the Flyve MDM which is an open source mobile device management solution including both agent app and web panel for management.
I have an app that has some unknown devices listed in the analytics portal I use.
I was wondering if Android and iOS have a method that I can call which tells me if the app has been downloaded and opened using an emulator?
I've thought of accessing the device's IMEI, but this is only for mobile phones and doesn't cover tablets. Any help would be greatly appreciated.
You can try filtering out the Connecting device's by their device's model number, name and id.
For that you first need your app to parse the data from the phone, and then send this data to your server while authentication.
The server checks the robots list and then authenticates the exceptions (genuine users).
NB: Nowadays emulators are updated, they are capable of spoofing a Device Name, Model and ID. So it's a hectic job to detect spoofer's.
Just a Mere Concept out of Thoughts, Might possibly work!
There are couple of methods out there. Android includes a built in method,but some of them can be maneuvered.
Android includes some system properties that keep such information. they can be accessed using the getprop utility and there are ways to get the problematically.
More specifically, the "ro.build.characteristics" will contain the word "emulator" when running on emulator.
Long story short: There are couple of libraries that are capable of doing this and are consider reliable.
Here is a good example:
https://github.com/framgia/android-emulator-detector
For iOS see this answer
As a side note. if you are concerned about having a safe environment to run your application, take a look at SafetyNet
I need to know how we detect the event of an Android app making a request to the Android Framework for sensor data. Also, if it is possible the Android Framework responding to the said request. I am trying to create a service that will be able to log this information for security or privacy purposes. Is this possible? What is the ideal way to go about it? If it is not possible, do we know why not? Is there an alternative solution?
I am trying to create a service that will be able to log this information for security or privacy purposes
I fail to see how spying on application activity regarding sensors will be "for security or privacy purposes".
Is this possible?
You are welcome to build your own ROM mod that has a revised version of Android, one that contains security vulnerabilities that would allow an app to monitor the sensor requests and responses between another app and the OS. Or, your ROM mod can do the logging directly, through an altered version of the framework.
Otherwise, no, this is not possible from an ordinary SDK application. I do not have enough experience with root-requiring frameworks like Xposed to know whether this is possible using them, though, again, that would require root.
I'm writing an Android app that communicates via HTTPS with a server application. On the server side, I have to be absolutely sure about the Android app's integrity. This means that the server app needs to be sure that it's communicating with the Android app that I developed and not with a re-written one (e.g. after decompiling the original app or after having rooted the device).
Is there a possibility to ensure that? Maybe there is a possibility with the signature of the apk file?
Any hint is appreciated.
Regards,
Peter
You are trying to address a known problem:
You can never trust an application on an open device (mobile phone, desktop computer). In order to trust it, it should be tamper proof. An example of such device is a SmartCard. Mobile devices are certainly not it.
You should never send data to device that user is not supposed to see. The implication of this is that all business logic must be done on the server.
All requests to the server should be authenticated with user's credentials (username/password) and made via a secure protocol (HTTPS/SSL).
No way. Whatever is in user's hands, is not yours anymore. Even if you somehow manage to transfer the APK to the server for validation, nothing prevents the hacked program send an original copy to the server.
In order to validate that your software is running, the client devices need to be able to provide remote attestation services, which is one of many piles of acronyms in the TPM world. I found that someone has been working on providing TPM services, including IBM's IMA, which is almost good enough for what you want.
Details here: http://www.vogue-project.de/cms/upload/vogueSoftware/Manual.pdf (Google Quickview).
Of course, this is emulating the TPM, and requires patching the Android kernel. But perhaps one of the various manufacturers would be willing to build a model with the TPM hardware included for you?