I have searched for a day , about create L2TP/IPSec VPN base on VpnService . But there is no matched result .
With LocalVPN (https://github.com/hexene/LocalVPN ) , I can create a VPN(OpenVPN) android app base on VPNService . But i want to create a L2TP/IPSec VPN Android App .
Is there any way to do it ?
Simply cannot be done.
The VPNService does not allow you to create a profile with username and password and there is no support for creating a L2TP or PPTP programmatically. Lots of people have been looking for this but Google are just not sharing their toys.
Even attempting to use the Hidden API has no support. Many VPN apps out there default to use OpenVPN-ICS or IKEV2(strongSwan) or require you to manually create the L2TP/ PPTP VPN connection on the device yourself.
Many people have requested this from Google but they either get a message saying the request is now obsolete or it is not financially viable.
I have a potential project to do and i am going through research about what it takes.
Project would include viewing/controling IP cameras and DVRs. An example application i was looking at was XMEye.
I am not looking into any code or particular implementation but general directions.
Questions:
1) how does qr code autodiscovery work? is that some kond of automatic dynamic dns setting where such device has guid serial number that acts as hostname in classic dyndns? (already input into cloud db where cam reports its current ip address)
2) does xmeye app, for example, rely on devices being onvif compliant or it supports some other protocols? if so, which?
With iOS 9, Apple is mandating the use of HTTPS. While this is all good and secure, it forces me to convert all my dev/testing servers to HTTPS. I'm developing for Android and iOS.
Things I've already tried/looked at:
Running iOS 8 - not a long term solution
Self signed servers - requires adding code to both platforms.
Adding root certificate - probably the way to go but expensive in terms of hours spent on this.
I'd like to know how other people are handling this. Ideally, I'd like a solution based on 3 (or not based on 1 and 2), which works well with simulator/emulator and doesn't require jumping through hoops and constant tinkering with root certificate on various devices.
I'll also take a solution for iOS only (e.g. #ifdef) as Android can stay on HTTP.
=====================================================================
Update: 20 Dec
My servers are IP address only. No domain name.
Using plist settings is an option. However, an answer would have to be specific and complete. I would expect to see something like a script that removes plist settings for 'release' builds.
I'm not a security person, but I suspect that leaving whitelisted IP addresses for attackers to use are a bad idea.
You can very easily add domain names for your development servers by using a free DNS provider. I use http://freedns.afraid.org/ and they have some shared domain names where you can add names for IP's you need. I sometimes do this just for internal servers to make it easier to remember where they are!
As for the plist; all you are doing when you whitelist a name like that is telling the phone app that it can talk to that server with HTTP. If you #ifdef DEBUG the ability for your app to talk to those endpoints, then you should have compiled out the ability of the end user to switch to it!
If you are still concerned about it and are looking to have a build step that removes the exemption then PlistBuddy is your friend. You can remove an exemption using the following command line.
/usr/libexec/PlistBuddy -c "Delete :NSAppTransportSecurity:NSExceptionDomains:my.devserver.com" Info.plist
Please put this property in your info.plist if you want to work with HTTP/HTTPS with iOS9.
App Transport Security is enabled by default when using NSURLSession, NSURLConnection in iOS9
You can opt-out of ATS for certain URLs in your Info.plist by using NSExceptionDomains. Within the NSExceptionDomains dictionary you can explicitly define URLs that you need exceptions for with ATS. The exceptions you can use are:
NSIncludesSubdomains
NSExceptionAllowsInsecureHTTPLoads
NSExceptionRequiresForwardSecrecy
NSExceptionMinimumTLSVersion
NSThirdPartyExceptionAllowsInsecureHTTPLoads
NSThirdPartyExceptionMinimumTLSVersion
NSThirdPartyExceptionRequiresForwardSecrecy
Each of these keys allows you to granularly disable ATS or particular ATS options on domains where you are unable to support them.
You can refer the answers to this question here,
How do I load an HTTP URL with App Transport Security enabled in iOS 9?
Transport security has blocked a cleartext HTTP
Is it possible to have user put in connection properties like ip address in the app to connect to Sybase. I need to find out for a test to connect to our DR Site which has a different IP address. (So user uses production system and something happens and need to switch to the DR Site to continue working.)
Thanks
Louis
I don't know much about SUP, but it seems the IP address of the server is in the generated code (Activity classes), you cam edit this code to get the IP from somewhere (e.g. the application settings).
If you don't have access to the source code of the application and this is just for a test you can configure your android device to use a proxy (How to change proxy settings in Android (especially in Chrome)) and then make a simple proxy that redirects connections to another host (such as those described in seriously simple python HTTP proxy?).
I updated my Android phone to 4.0.4 and i noticed that a new file nfcee access.xml appeared in the system folder. The idea of the file as far as i understood is the keep a list of signatures, and allow access to the SE and related intends only to the packages that are signed with one of this signatures. So far in this list is of course the signature of the Google Wallet.
Does anybody know how would be the process in future to enter this list? Do you need to ask for permission directly Google?
If you root your phone, you can modify the file. The file contains the list of signatures and package names that are allowed access to the Secure Element (SE). The signatures is a hex-encoded X.509 certificate. To create one, simply include the tag <debug /> in the file and it will print to logcat the hex-encoded signature of applications that are denied SE access, for easy cut-and-paste into this file.
To create an app that can access the SE, you need to add this permission to the manifest:
<uses-permission android:name="android.permission.WRITE_SECURE_SETTINGS" />
To actually access the SE, you need to access a hidden API by importing com.android.nfc_extras:
import com.android.nfc_extras.NfcAdapterExtras;
import com.android.nfc_extras.NfcAdapterExtras.CardEmulationRoute;
import com.android.nfc_extras.NfcExecutionEnvironment;
The easiest way to make this possible is to compile your app in the Android source code tree by placing it in packages/apps and building it from there. You need to add the following line to the Android.mk makefile to get access to the SE API:
LOCAL_JAVA_LIBRARIES := com.android.nfc_extras
The functions in com.android.nfc_extras allow enabling and disabling the SE, sending commands to it and receiving responses from it (comparable to IsoDep.transceive()).
This is interesting indeed. If entering your certificate and package name in this file is all that is needed, you shouldn't need to talk to Google, just get whoever is building the ROM (yourself if custom ROM, or a particular carrier) to include it. The bigger problem though is,
who do you need to talk to to get the CardManager keys. If it is the carrier, you can also get them to pre-install your applet, so you might not need the keys at runtime (unless you want to use a secure channel to your applet).
Update: Here's a summary of SE support in Android and some more info on how to use the embedded one. In short, it does work, but you can only query stuff of course. It runs JavaCard and is GP 2.1.1 compatible, uses 3DES keys for the secure channel.
http://nelenkov.blogspot.com/2012/08/accessing-embedded-secure-element-in.html
http://nelenkov.blogspot.com/2012/08/android-secure-element-execution.html
BTW, here's the currently allowed cert on my GN 4.0.4. A package is not specified, so any app signed with it will get access to the SE:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a8:cd:17:c9:3d:a5:d9:90
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=Mountain View, O=Google Inc., OU=Android, CN=Google NFC
Validity
Not Before: Mar 24 01:06:53 2011 GMT
Not After : Aug 9 01:06:53 2038 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google Inc., OU=Android, CN=Google NFC
With cavets: If you can get your application on the nfcee_access list you can do the following things:
Enable the UICC (sim card) and enable the embedded secure element (if present)
Open a communication channel to the embedded secure element and exchange data
Receive transaction data from the UICC (sim card) if the UICC wants to send you data (you'll be receiver only).
You can do all this if you root your phone. No need to hack the nfcee_access list to do so, you can just intercept all traffic to the nfc-chip to so so.
What you can't do, even with a rooted phone:
Install applets on the UICC / eSE
Log/Monitor/influence the data-transfer between the embedded secure element/UICC and an external reader, e.g. hack payment systems.
Caveat: You can do almost everthing if, and only if you have the knowledge and the secure access-keys to access the embedded SE. However, if you have these information you wouldn't ask on stack-overflow. :-)
This knowledge is a well kept secret and no one will tell you this secret unless you are a company as big as google, mastercard, visa, american-express and the like.
The answer is simply NO you cannot do anything with the Secure Element. Only SE owner or issuer can allow the access to the SE - i.e. it is Google itself, or might be First Data (http://www.firstdata.com/en_us/products/merchants/mobile-commerce/trusted-service-manager-solution.html), but I think this company is responsible only for the Google Wallet itself, not for the SE management - this might done by SK C&C - I have no idea...
Take it also that way - the precondition for using embedded secure element is that you are offering excellent service and you are Google partner or other phone manufacturer partner (unless you are from Facebook or similar company save your time and do not try that). This is not easy and 99.99% of services cannot be there.
Regarding secure element now you can wait until SWP and SIM cards will become more popular and acceptable solution, since you might be able to get contract with MNO on national level easier or hope in NFC-WI and SD card solution or go with stickers or external accessories like iCarte for iPhone.