How do we make handheld devices secure to login to a domain (mobile device management)? For example: if you have a laptop or if you are working from home using a desktop, you do a VPN and connect to your company’s domain. Once you connect, only then you can access your work email, share point sites, timesheets, etc. So instead of laptops and desktops, how do we create/develop an app on mobile devices which can ensure 100% security to the environment which we are connecting to.i dont have any idea regaring this.Anybody know, just help me.
The problem is essentially establishing a VPN tunnel. The issue with that is that Android does not support the Cisco protocol/extensions out-of-the-box. Cisco have released versions of AnyConnect for phone brands (different kernels, with/without tun.ko, etc.) but that means your users would have to manually connect to the VPN first. You really do not want to implement your own VPN. In fact, you don't want to implement any cryptography whatsoever, since you are guaranteed to get it wrong.
Unfortunately, there's little automation that could be done without root access or support from Cisco (e.g., hooks to start connecting via an external intent). Given root access, you could just run the command-line openvpn tool with a pre-configured config and establish a VPN tunnel to your facilities. This is not an entirely brilliant idea but at least you're not dealing with crypto directly (just kernel versions, tun/tap.ko modules, etc.). The upside of OpenVPN is the granularity of control. The downside of OpenVPN is the granularity of control, i.e. setting up CAs, Server/Client certificate pairs, etc (which you'll need if you're at all serious about doing this on a large scale).
Of course, the easiest solution, if starting completely from scratch, would be to use Android's built-in VPN support. However, that's limited to a subset of L2TP/IPSec, which are not trivial to set up or that widely deployed.
Once the tunnel is established, the rest is just access to the local network.
Related
This is going to sound strange, and please don't judge the impracticality of doing something like this, but I need to add support for controlling out bound network traffic from an Android device. Doesn't have to be selective. I basically need to put the device in a mode where out bound communication is silenced over WIFI. (primarily) The reason for this is I have a networked application that's remotely controlled and I need to be able to put it to "communication sleep" on-demand and then "wake it up" after a period of time, or on-demand. The on-demand aspect is controlled remotely. Hence the need to put the device in a state where it'll only accept in bound communication.
I'm primarily interested in TCP/UDP blocking of out bound traffic. I'm not interested in a separate firewall app. My application includes a service that's already implementing all the communication code required. I just need some suggestions on how to control out bound communication.
FYI, I have a mix of 2.3 and 4.0 devices to work with.
Could I have my service implement some basic firewall support? Maybe a simple proxy that the device is configured to use? (similar to the Ad Block app)
Thanks in advance for any suggestions. If it's at all possible, I'll try to share the code for it here.
UPDATE: Sorry, I have and require root on these devices anyways.
On the proxy idea, really I just need a black hole listening on a port. If I can set the system proxy settings from my app, when the out bound communication needs to be disabled, I can enable the proxy and drop all connections.
If I can't set the system proxy settings, I'll have to implement a working proxy, require the user configure the proxy, and control it's behavior accordingly when connections are received.
I might as well answer my own question. With root you can include iptables and make some command line calls to control the traffic flow. Note that you should have some experience with stateful firewall concepts, as mucking with outbound DENYs will lead you to confusion unless you know exactly what the system/app is supposed to do. (random response ports, etc...)
A proxy service would work for Android devices and versions which allow for network proxy support. Unfortunately not all my devices allow for it. (my Ginger Bread devices don't have proxy support, it's just not present in the UI, and the API is read only for the HTTP_PROXY System setting)
So there's no example code to offer. I'm playing with iptables on my devices. I'll likely include it in my application, which requires root anyways.
I wanted to implement the application specific VPN client in android, that is vpn connection once established should be only available to our application and rest of the apps in android device should make use of normal internet connection.
To elaborate my need more, i have an application already which connects to corporate email, files and other data from internet normally but for some security reason we need it to be go through tunnel within our application and access everything within via tunnel basically want we are looking here is security while accessing company corporate network.
Since we are new to something like this we don't have a hint on how to start what protocols to use etc (we are assuming ipsec l2tp for now), any information, hint or redirects to useful resource will be really helpful.
And between we are just looking to send and receive data over tunnel, there is nothing more or need to control computer on the network all we need is to route data through corporate firewall and should support multiple vpn servers such as cisco, microsoft etc. Can any one say how complex or how feasible to implement it.
Manjunath
As your question comprises of several parts so i will start putting my input one by one on each of them.
I wanted to implement the application specific VPN client in android,
that is vpn connection once established should be only available to
our application and rest of the apps in android device should make use
of normal internet connection.
This is the case of split tunneling and i don't think that there is any personal vpn provider that offers such feature in android app / phone. However, it does not mean that their is no solution for your query. CISO client Juniper SA2500 SSL VPN Appliance split tunnels has this feature which allow android users to work through split tunnel which enable them to route the traffic through different channels.
You just need to Just go to Roles > Network Connect Role, then Split Tunneling Options and disable split tunnel.
Or> Push" the proxy settings so the web traffic is diverted to the proxy via the tunnel as the end user will no longer be able to go the the Internet directly:
Users --> Resources Policies --> Network Connect --> NC Connection Profiles then filter for the role bound to your NC enabled realm. Make sure that under the "Proxy Server Settings" section
Elsewhere, there is another client named as QuickSec VPN 2.0 which also enables user with split tunneling.
And for all such things SSL VPN Connection is the most reliable one as it is feature with strong encryption and security.
The split tunneling concept for Personal VPN has been introduced by well stabled VPN providers like PureVPN and Ivacy which has described the concept of split tunneling through their client software.
Go for SSL connection it is as good as Tunneling if you just wanted to exchange packets, integrating a VPN Solution within you application will become another project which is not recommend and takes time.
The current version of android supports multiple APNs but does not support multiple active PDP contexts. Why had Android choose not to go down this route? And is it planned in future releases of the android platform?
The background to my question is that my application needs to communicate over a special APN. But when I do this I lose connectivity for all other running connected applications on my device.
Does anyone have a cleaner approach to solving this issue?
My suggestion, why Android does not support multiple active PDP contexts is that Android is based on *nix, and networking is based on classic sockets. If take looks sockets API, there's no PDP contexts.
Solving the issue.
At first one may ask himself: why do he need to send data through special APN. Special APN usually is used to connect to "Private Garden" networks, usually, corporate LAN. Other words, APN is kind of VPN, but in terms of GSM technology. Why one like to use VPN? In many cases, to protect data while transferring.
The APN or VPN is not the only solution for such purposes. You can use SSL: it will ensure that data is encrypted and remote host is not faked. And when using HTTP over SSL, ability to delivery data is much higher because access to the Internet from many networks is provided by proxy server.
Using multiple PDP-context cannot be compared simply to VPN. A PDP context can also be use to request better QoS from the network in the case of a voice application for example.
As far as I know, this is still not supported by Android nor by IOS, except when it comes to VoLTE and MMS where both those services run natively on distinct APNs.
I try to create an ad-hoc network between many Android devices, but I can't find documentation to do that.
I thought Wifi direct could work for what I want, but is it possible to have multiple connection on one device ? I saw that we could do a device acting like an access point and communicate with many devices, but can we communicate from one client device to two access point devices ?
I have for example 3 devices: A -> B -> C
The "A" device need to communicate with "C" device but he's too far away, so I want to have ad-hoc wifi direct connection between A&B and ad-hoc wifi direct connection between B&C, so A can communicate with C. It should also work with more than 3 devices.
Thanks !
Here is the link to the Wifi Direct Demo http://developer.android.com/resources/samples/WiFiDirectDemo/index.html
I have been working on establishing ad hoc communication over Android phones for a month. I am trying to create an app that could work without having 3G or access point. Main idea is to let the clients to be able transfer voice or data in a close range.
There are some guys implemented a basic system regarding almost the same topic. It basically works with Wi-Fi access point. So you need an access point in order to establish the connection. Although this is not what I am looking for, it might be helpful for others. You might need to contact them for more details.
https://sites.google.com/site/androidwalkietalkie/home
Android does not have support for ad-hoc WiFi at this time -- sorry!
Update (2019): Android has supported WiFi Direct for a while, and this answer has not been updated.
Your scenario would work. A would be able to connect with C as long as B (the group owner) is within range of both A and C.
See Android's developer documentation for more info:
https://developer.android.com/guide/topics/connectivity/wifip2p
At this time only Galaxy S 2 support Wi-Fi Direct
The wifi direct supports concurrent hosting and client capabilities on single interface. Which means, the device will act as an AP, allowing other devices to connect to it as clients, And also connect to another AP as a client. And can share internet connection by driving the internet traffic between the interfaces.
However, current implementations of wifi direct on android are specific to the phone and not part of andorid sdk. So there is not much clarity if they support concurrency. This capability is not limited by hardware.
Ad hoc wifi is disabled in Android. You need to ask Google why they have chosen to do so. If you have access to a device that allow you to install custom Android images, you will be able to patch Android to support it. Or you can root your device and reenable ad hoc Wifi, there are plenty of solutions on the web on how to enable ad hoc on rooted Android devices. This is a software issue, the hardware on every Android device that I know of has support for ad hoc Wifi.
The Serval Project, based in part on WiFi Tether, is the only place I've found this functionality. It's still alpha phase, but seems to be the forerunner in the field. The wiki is much more useful than the main project page linked above, with installation instructions and a bit of documentation.
Serval may or may not be right for your needs, but I felt it should be pointed out that ad-hoc networking is not impossible on Android. It might be better to wait until Google gets around to implementing it as standard API, though (if you believe they ever will :) ).
Well You might be interested in looking at AllJoyn. It is qualcoms SDK for android OS which includes wi-fi peer-to-peer implementations by creating adhoc connections. This is same as Wi-Fi Direct.
Just a quick question as Google isn't throwing up much.
Is it possible to create a VPN connection using native code in
Android?
And if so does the VPN offer support for keep alives?
I believe it would be more of a permissions issue than of an exposed or not exposed issue. Most VPN connections would need you to modify and access the network filtering calls of your kernel. Since your app should really be operating in it's own sandbox this is something I would doubt is exposed by default (to apps at least) since you would essentially be modifying the way the entire OS routes network traffic. For the same reason that in order to modify iptables in the OS, it needs to be rooted so that your app can actually alter such things. At that point I would assume the connection would be made similar to any other vpn connection in any other linux os (via an ipsec daemon or some proxy dameon that you create), but the calling entity would need the actual access level necessary to complete the call to the kernel.
Rooting of the device is needed for creating a VPN connection. We need access to /data/misc/keystore and /data/misc/vpn/profiles in our programm.