Creation of a hidden process seems to be impossible ... so i came to conclusion that hiding a process from the user is impossible so if the service or process appears to RUN as a sub process to any other applications like PHONE APP , or MESSAGING APP , the running process can be hidden to an extend .
This can be only achieved by code injection , so want a help in achieving this . code injection from the user level.
Sure this is possible - http://www.phrack.org/issues.html?issue=68&id=6#article. And as for #commonswear's answer, that's completely wrong. Many respectable developers do this type of this for good, in fact some rooting techniques work this way. Also, sometimes developers can do this to their own code post-deployment, and some developers may do this and notify the user because it provides extra functionality that they wanted in the first place.
Fortunately, this is impossible, short of a security flaw as #Dave notes.
No respectable developer tries to hide processes from users or inject code into foreign processes, as seems to be your intent.
Related
I'm only on search for the reason why Android does this and what can you do to "stop" it or handle it when coding any app. I haven't found any info about this except some yt videos that teach you how to stop it when using your Android smartphone. I'm looking for documentation or something like that to read and learn why does this happen and how to handle it.
Sorry for my bad english, not native. Thank you.
Why? Because a device is a computer and therefore the limited resources should be optimized. The optimizations favors the app with the user is interacting, making the user experience fluid.
How this happen and how to handle it is the life cycle
And how to make things even if the app is not open it is about the workmanager
From the official documentation
It is important that application developers understand how different application components (in particular Activity, Service, and BroadcastReceiver) impact the lifetime of the application's process. Not using these components correctly can result in the system killing the application's process while it is doing important work.
and how it happens :
To determine which processes should be killed when low on memory, Android places each process into an "importance hierarchy" based on the components running in them and the state of those components
I would like to know the correct way to monitor system events and operating system activity in Android. My research so far indicates there are various methods for running Activities, Services, BroadCastReceivers, etc. but I don't have an overall comprehensive answer for everything I want to accomplish yet. I did come across an app today called "Carrier IQ" and was wondering how they do it. I believe their app is built into the kernel or at least the phone's OS image, something I want to avoid doing if at all possible.
I know that the Android SDK offers various ways to obtain
Since my app cannot be allowed to be suspended, should it run as a foreground service? If I do this, will I consume too many resources if I need to poll for various activity? I ask this because I don't think I can get everything through receiving events (i.e., using a BroadCastReceiver). I think I need a combination of polling and events.
I want to log sensors, events, OS activity, etc. for a user study. This is NOT for hacking or phishing purposes!
These are the top three projects that I think may accomplish something similar to what I want to achieve, but I have not yet determined if they are viable solutions:
android-hci-extractor
cellbots data logger
android-os-monitor
Does the Android manifest permissions list contain all of the permissions your app will need?
http://developer.android.com/reference/android/Manifest.permission.html
Then you can just ask for permissions when the app is installed and you should be able to access them.
According to this tutorial the only way to disconnect the vpn service is to use the 'system-managed dialog'. This can be done manually by dragging down the notification bar and selecting it from there, however this is not a good solution for my problem.
I need to be able to bring this dialog up from within my app when a 'disconnect' button is pressed, however I can't find any documentation on how to do this.
Can anyone help?
Right now the only public and recommended way to disconnect is unfortunately just through the notification. The functions for disconnecting or even bringing up the dialog are otherwise hidden unfortunately.
Of course, that doesn't necessarily mean that they can't be accessed, but that way lies much pain. I haven't tried this in this specific case, but I have done this in the past, way back, with the music player to find out what was playing (for audio scrobbling). So if you absolutely must find a way to do this, no matter how hacky, then you could try this, but keep in mind that 'ere be dragons - this involves accessing a private API that you are not supposed to. That API could change on a whim between any two given builds of android (not just platform versions either), because it is supposed to be private and internal. You would need to make your code very resilient to failure here, and frankly it'll never be anything more than hacky and a PITA.
Right, all that said, see line 171 in this
That's what you want to do. Except you can't see the things you need, right? So you need this AIDL for the service (and possibly a bit of reflection too, I forget - haven't done this in a long time).
This blog post describes something similar, though not in much detail. It's hard to find things talking about, since it is an incredibly discouraged practice.
I think it is fine just to close tun descript and let the Service end. This will effectlivy end the VPN (but the app in question will still hold the permission to open a VPN again). The notification (key symbol) will also go away. If you are trying the VPNService of another app that might be tougher. Perhaps you should ask the author of that app for an API.
it's been some time now, since I started reading about android.
I've already made a few basic applications, but I still miss something: How is actually sharing application component being done?
This is what the Android Dev Guide says:
A central feature of Android is that one application can make use of elements of other applications (provided those applications permit it). For example, if your application needs to display a scrolling list of images and another application has developed a suitable scroller and made it available to others, you can call upon that scroller to do the work, rather than develop your own. Your application doesn't incorporate the code of the other application or link to it. Rather, it simply starts up that piece of the other application when the need arises.
I think I came across some question like this, but I think I'm still confused.
Is the only way of getting such a 'private application' information to contact the developers of that application?
Is information about the data that the application operates with private, too?
If it is described in the AndroidManifest.xml file is it available for the other applications, or it is available only to Android?
When I started satisfying my interest in Android - one of the things that grabbed me was the impression of immense interoperability...
:)
Have I been wrong or I still haven't found the way?
Thanks!
How is actually sharing application component being done?
That depends entirely on what you consider an "application component" to be, and what you consider "sharing" to be.
This is what the Android Dev Guide says
That is a fairly bad piece of the documentation. Here is how I would write it:
A central feature of Android is that one application can make use of components (e.g., activities, services) of other applications (provided those applications permit it). For example, if your application needs to display a list of contacts and another application has developed an activity that does just that and made it available to others, you can call upon that activity to do the work, rather than develop your own. Your application doesn't incorporate the code of the other application. Rather, it simply starts up that piece of the other application when the need arises.
Is the only way of getting such a 'private application' information to contact the developers of that application?
Either developers are intending for you to integrate with them, or they are not. If they are, they should be documenting how to do that (e.g., Intent formats to be used with startActivity() to trigger their code). If they do not document such integration points, you can certainly ask the developers to add some. However, randomly shooting Intents at them in hopes of getting a response, even if it temporarily works, is little better than script kiddie tactics -- those developers are not obligated to ensure you code works when they upgrade their app.
Is information about the data that the application operates with private, too?
I do not know what "information about the data that the application operates with" means. Data managed by an application is private by default. Again, application developers can offer integration points for data (e.g., content provider, remote service API) -- some do, some do not.
one of the things that grabbed me was the impression of immense interoperability
Android offers greater interoperability potential than some other mobile platforms. However, using that potential requires consent among the interoper-ees. You cannot unilaterally decide to hack into another app's database, or invoke private activities, just because you feel like it.
Should more Android developers offer more integration points? In the abstract, sure. However, bear in mind that this adds support costs (e.g., answering integration questions) and limits coding flexibility (e.g., need to maintain a stable API for those doing the integrating). Developers cannot be blamed if they do not wish to incur all that.
Can you suggest me any good anti-crack approaches (other than a code obfuscation), considering that the paid apps on the Market are easily cracked, and the same goes for a basic server check after a PayPal transaction?
My idea is to have one (very important for the app) Java object saved on the server, and passed to the app each time when it starts. Do you think that this sounds good ?
Note that it is more like of a theoretical question, as I am not going to implement it in an app, I am more like seeking the knowledge for this rather than a concrete solution to a problem.
Any ideas would be appreciated, even ones that you are not very sure if they are good or not. Remember, the question is for Android apps. Thanks.
EDIT: I know that there can't be an unbreakable client side application, I am asking for a good option to prevent it other than a obfuscation
No. Code stored on the server and provided for execution on the device can be grabbed and stored elsewhere such as locally. (And that's probably going to be as hard for you to implement as it will be for the attacker to patch around)
Ultimately, you have to face the fact that preventing run authorization just isn't possible on a general purpose computing platform.
Unless you move actual functionality to execution on a server requiring an individually authorized account, all you can hope for with regard to code running on the user owned device is to achieve a higher than average shade of difficulty.