I wanted to implement the application specific VPN client in android, that is vpn connection once established should be only available to our application and rest of the apps in android device should make use of normal internet connection.
To elaborate my need more, i have an application already which connects to corporate email, files and other data from internet normally but for some security reason we need it to be go through tunnel within our application and access everything within via tunnel basically want we are looking here is security while accessing company corporate network.
Since we are new to something like this we don't have a hint on how to start what protocols to use etc (we are assuming ipsec l2tp for now), any information, hint or redirects to useful resource will be really helpful.
And between we are just looking to send and receive data over tunnel, there is nothing more or need to control computer on the network all we need is to route data through corporate firewall and should support multiple vpn servers such as cisco, microsoft etc. Can any one say how complex or how feasible to implement it.
Manjunath
As your question comprises of several parts so i will start putting my input one by one on each of them.
I wanted to implement the application specific VPN client in android,
that is vpn connection once established should be only available to
our application and rest of the apps in android device should make use
of normal internet connection.
This is the case of split tunneling and i don't think that there is any personal vpn provider that offers such feature in android app / phone. However, it does not mean that their is no solution for your query. CISO client Juniper SA2500 SSL VPN Appliance split tunnels has this feature which allow android users to work through split tunnel which enable them to route the traffic through different channels.
You just need to Just go to Roles > Network Connect Role, then Split Tunneling Options and disable split tunnel.
Or> Push" the proxy settings so the web traffic is diverted to the proxy via the tunnel as the end user will no longer be able to go the the Internet directly:
Users --> Resources Policies --> Network Connect --> NC Connection Profiles then filter for the role bound to your NC enabled realm. Make sure that under the "Proxy Server Settings" section
Elsewhere, there is another client named as QuickSec VPN 2.0 which also enables user with split tunneling.
And for all such things SSL VPN Connection is the most reliable one as it is feature with strong encryption and security.
The split tunneling concept for Personal VPN has been introduced by well stabled VPN providers like PureVPN and Ivacy which has described the concept of split tunneling through their client software.
Go for SSL connection it is as good as Tunneling if you just wanted to exchange packets, integrating a VPN Solution within you application will become another project which is not recommend and takes time.
Related
there are two kinds of open (unencrypted) WLAN networks: one that is really open and provides IP and network access after connecting to it, and one where additional authentication is necessary after connection to it (typically via a webpage where some special credentials have to be entered that belong to the provider of this service).
Is it possible to find out what kind of "open" network is available before connecting to it? Possibly somehow via the ScanResult objects that are returned as result to WiFiManager.startScan()?
Thanks!
Is it possible to find out what kind of "open" network is available before connecting to it?
In short, no. The Android WifiManager (and, indeed, any computers' networking drivers / stack) are only concerned with low level communications. Looking at the OSI Model, primarily the Physical level, Data Link level and the Network level.
WLAN hardware, drivers etc obviously have extra concerns which include scanning for available APs and verifying whether they offer 'open' access or require authentication although in the latter case it is only concerned with WEP/WPA style authentication and doesn't consider any higher level of control / security at the Transport layer, Session layer etc
The sort of authentication via web pages which you describe is often a requirement in pubs, cafes, hotels etc where the WLAN is effectively 'ring-fenced' and all HTTP traffic has to go through what is effectively an HTTP proxy server (which possibly also imposes content-screening / blockng). In the case of this sort of WLAN service, usually only web traffic is allowed - for instance attempting to connect to the outside world with any other protocol than HTTP/HTTPS will be prevented.
Consequently, any WLAN (or even LAN) client hardware, drivers, stacks has no way of discovering what is/isn't allowed or required when attempting to connect to remote / external sites and services.
The use case is that:
all the applications on the android phone would connect to internet through a wifi.
And I want to have an application that eavesdrops on the http traffic from all apps so that I can find what sites they visit.
This application would be distributed as an apk and users would install this app on their phone.
How do I achieve this ?
I will tell what I tried:
Used a Custom Vpn Service application where an activity triggers a service derived from VpnService.
The Custom VpnService calls builder and sets Mtu, addRoute, addAddress, and then addDnsServer.
Then the service reads from the file descriptor associated with the interface generated from builder's establish() call.
Now if the addRoute is called with ("0.0.0.0", 0), Iam able to intercept the traffic and see packet contents. But Iam not able to route the packets without creating udp tunnel to an external server which I dont want to do.
If the addRoute is called with the Wifi router IP, then routing automatically happens for all packets generated. But I am not able to intercept the packets on the file descriptor associated with the virtual interface. It simply doesnt receive any data on read() call.
What I want to do is:
intercept the traffic to inspect the http headers
at the same time, do routing as usual like a normal wifi connection does.
Have everything self contained in the phone. There should be no external server.
this appliction should not require any rooting or such. It should install the way a normal app does.
I would suggest 1) setting a proxy and 2) running an app which acts as one. The combination of these two won't require root privileges.
SETTING THE PROXY
This first point is probably the most tricky one. The only way of setting a software-level proxy (without requiring root) is by navigating to the Wi-Fi connection settings and manually set the proxy. However, there is an open-source application that can eventually bypass this particular step: ProxySettings.
INTERCEPTING THE TRAFFIC
In my opinion, your best bet is using SandroProxy, an open-source proxy application for Android. It is extremely well written, currently maintained and supported, and will allow you to intercept the HTTP traffic and even modify it. The code can be found here, while the example application can be found here.
This solution should fulfil all of your requirements:
Intercept the traffic (even edit it): thanks to the proxy setting, all the network traffic goes through the proxy address, which corresponds to your application
Edit is optional: everything will keep working as no proxy is set
Everything is local: no need for external servers, your proxy is the installed application
No root is required
This question already exists:
How to remotely access a LAN network (embedded) device without port forwarding? [closed]
Closed 9 years ago.
I've looked around SO and haven't found exactly the answer I'm looking for, so please forgive me if this is a duplicate. If so, please direct me to the answer. Thanks.
I've got an embedded sensor/actuator system with wifi connectivity to my LAN.
What are possible software/protocol solutions so i can communicate with and control it remotely, from outside my network with an iPhone/Android (i.e. via 3G/4G) and/or a remote PC?
i don't want to have to configure my router for port forwarding.
Here are a few other considerations:
embedded processing platform is pretty limited (i.e. it's not an ARM)
security is important (i.e. don't want others to be able to gain access easily)
scalability - if this project goes commercial, scalability of this model to many, many users is important
user simplicity (i.e. no messy configuration reqs for the end user)
I've heard a little about MQTT, which looks like it might be a solution, but I'm not sure about security. Any thoughts on that?
Any other options that are free?
Thanks a lot, Brian
To use MQTT you will need a broker that is accessible from both inside the network and outside.
So assuming you host your own broker you will need to set up port forwarding to allow access to it from the mobile device. The other option would be host the broker on a cloud service.
Security can be handled by doing MQTT over SSL and using client side certificate authentication so only your client application can connect to broker.
If you have the system working inside LAN, you could use a package such as wamp running on a networked PC to act as a server and set up an external facing network interface which can handle security. Then use the wamp server to forward to the embedded device when required through PHP etc. That would save working out how to directly communicate securely with an embedded device.
I can't suggest anything more useful on the amount of information given
How do we make handheld devices secure to login to a domain (mobile device management)? For example: if you have a laptop or if you are working from home using a desktop, you do a VPN and connect to your company’s domain. Once you connect, only then you can access your work email, share point sites, timesheets, etc. So instead of laptops and desktops, how do we create/develop an app on mobile devices which can ensure 100% security to the environment which we are connecting to.i dont have any idea regaring this.Anybody know, just help me.
The problem is essentially establishing a VPN tunnel. The issue with that is that Android does not support the Cisco protocol/extensions out-of-the-box. Cisco have released versions of AnyConnect for phone brands (different kernels, with/without tun.ko, etc.) but that means your users would have to manually connect to the VPN first. You really do not want to implement your own VPN. In fact, you don't want to implement any cryptography whatsoever, since you are guaranteed to get it wrong.
Unfortunately, there's little automation that could be done without root access or support from Cisco (e.g., hooks to start connecting via an external intent). Given root access, you could just run the command-line openvpn tool with a pre-configured config and establish a VPN tunnel to your facilities. This is not an entirely brilliant idea but at least you're not dealing with crypto directly (just kernel versions, tun/tap.ko modules, etc.). The upside of OpenVPN is the granularity of control. The downside of OpenVPN is the granularity of control, i.e. setting up CAs, Server/Client certificate pairs, etc (which you'll need if you're at all serious about doing this on a large scale).
Of course, the easiest solution, if starting completely from scratch, would be to use Android's built-in VPN support. However, that's limited to a subset of L2TP/IPSec, which are not trivial to set up or that widely deployed.
Once the tunnel is established, the rest is just access to the local network.
The current version of android supports multiple APNs but does not support multiple active PDP contexts. Why had Android choose not to go down this route? And is it planned in future releases of the android platform?
The background to my question is that my application needs to communicate over a special APN. But when I do this I lose connectivity for all other running connected applications on my device.
Does anyone have a cleaner approach to solving this issue?
My suggestion, why Android does not support multiple active PDP contexts is that Android is based on *nix, and networking is based on classic sockets. If take looks sockets API, there's no PDP contexts.
Solving the issue.
At first one may ask himself: why do he need to send data through special APN. Special APN usually is used to connect to "Private Garden" networks, usually, corporate LAN. Other words, APN is kind of VPN, but in terms of GSM technology. Why one like to use VPN? In many cases, to protect data while transferring.
The APN or VPN is not the only solution for such purposes. You can use SSL: it will ensure that data is encrypted and remote host is not faked. And when using HTTP over SSL, ability to delivery data is much higher because access to the Internet from many networks is provided by proxy server.
Using multiple PDP-context cannot be compared simply to VPN. A PDP context can also be use to request better QoS from the network in the case of a voice application for example.
As far as I know, this is still not supported by Android nor by IOS, except when it comes to VoLTE and MMS where both those services run natively on distinct APNs.