I am just starting on Android development. To my nascent knowledge, it seems that anybody can grab any personal info and modify it or phone it home. Like with ContactContentProvider. I know these(permissions) have to be specifically declared in application manifest and the user would be presented with this info during installation. But still how would you you know the application handling your private data is not going to go rouge on it?
Example:
Suppose I create an app with internet
and contact-reading permissions. It
claims that it will backup contacts on
a server specified by user. While
secretly it also copies them to your
own server.
It's no different than you developing an app that does it that runs on a PC, or something that uses your gmail login to see if there's others you know on the same site.
It's all about trust. Also the Apple approval process doesn't safeguard against any of this if you hide it and when found out malicious apps can be killed & uninstalled instantly.
Related
If I create an application, which the user installs on his Android device, is it possible for that application, that from the background, it can access the currently opened browser tab, and if the user navigates to a specific domain with his browser, the app sends a push notification, or maybe notifies the user about a promotion on that domain?
well, for usual apps this isn't possible for security reasons obviusly. but it probably may be done using AccessibilityService. note that Google is filtering apps which have such big privileges and won't let your app to Play Store if it will be using AccessibilityService to such "trivial" operation (isn't very helpful, for sure isn't accessibility-kind-of)
Sadly I know little to nothing about mobile app development and I am tasked with thinking through privacy considerations a user could have when using a mobile website vs its app equivalent.
For example, when a user browses our mobile website we can collect the following data:
IP
User agent
OS information returned from Javascript, including screen resolution
Cookies from the domain
Of course, this list isn't exhaustive.
So what can easily be collected from a user of a mobile app? (assuming no extra permissions were enabled)
IP
What's the equivalent of a user agent?
What OS/device info is available?
Do apps have "cookies"?
What else?
APMK, we can Collect the below data
Device location.
Device Name.
Device Version.
OS (Android/iOS/Windows)
Cooikes if we are using webview ..etc
I think your question requires more clarifications and answer to the following questions:
Do you have access to the source code ? If yes, you can track basically anything that's in the app using 3rd party tracking services like Google Analytics or other similar stuffs (even your own implementation). If not, do you have access to the API that's used by the application ? If yes, you can probably detect the OS since almost all request have a User-Agent attached to them, platform specific, but from the API requests you can't have much info.
I think the problem should be put the other way around, what do you want to track from a mobile app ? And I can tell you from my experience that there's almost nothing that can't be tracked from mobile apps if you have access to the source code. Regarding the permissions, off-course you won't be able to access something for which you didn't request any permissions, but you can check if the permission is granted anyway (maybe some other part of your app requested those permissions).
Also just a reminder, if you develop apps for EU, make sure you're GDPR compliant, the sanctions can be quite huge for a non-GDPR compliant app.
Yes there is an App where you can find all the info of the Particular info https://play.google.com/store/apps/details?id=com.quixom.deviceinfo
Check it out
I'm trying to understand how applications are storing data without the use of a login system. Example, an android app starts you with 500 coins and you use some of them. You have not logged in at all and you delete the 'app data' in settings and uninstall and reinstall. The app still knows you only have 450 coins left for example. The app requires internet connection so I'm assuming they are storing the info on their server. If so, how are they uniquely identifying your device? In my reading so far it seems there is no full-proof way to uniquely identify a device every time.
I'm asking because I'm going to be working on an app where I don't want to require a login but I also don't want the player to simply reinstall and get to start over. So, my question is how does everyone handle this situation to work for both iOS and android?
Google offers Firebase, which is used for notifications, but makes use of a unique identifier for an application instance on a device (both on iOS and Android), they could be using this.
There are some more providers that offer a similar service (for example OneSignal).
Reference: https://firebase.google.com/
a customer ordered us a tablet application, but they need a lot of access restriction to lock device functions such as:
Permit datas transfer only inside the application not outside
Restricted user access on the device (something close to admin and normal user permissions)
A framework/API that permit to create an internal mail reader/sender
Public API of iOS makes impossible to fulfill those requirements. I was wondering if Android makes life easier when there are those kind of restriction.
UPDATE: To make understand better the field of use. I'm talking about an application that "force" the device to be used just only with that application for an Enterprise use. The app is just like a CRM but the device should be blocked in some functions to make users only work with them and NOT playing or use facebook, market etc.
Not sure you can achiev all of those, but you should look into the device policy for android here and here.
1) Not sure what you mean by point 1. If you mean controlling all data transfer from the device, you might be a in a bind considering the only way to get a firewall running on android is by rooting the device. Perhaps you could look into writing a custom launcher/home like KidZone that only shows approved apps? - Not nearly as secure, though.
2) Honeycomb, so far, doesn't have multi-user support - though you can have multiple google accounts registered. The custom launcher could help in this regard though.
3) I don't see the point of doing this unless they already have a custom mail infrastructure in place. Otherwise just go with exchange.
Permit datas transfer only inside the application not outside
Do not request the INTERNET permission.
Restricted user access on the device (something close to admin and normal user permissions)
You would have to implement this yourself.
A framework/API that permit to create an internal mail reader/sender
I have no idea what this means.
I develop Android app which has next work scenario:
User sets a list of apps and password.
If application from this list will start, then shown request of password.
If the password is incorrect, then the access is not allowed.
If the password is correct - the application runs.
How to implement such functionality?
Does anyone knows similar open source projects? There are such applications in the Andoid Market, but I didn't found their sources.
And another question. Is it possible to control the access of applications to the Internet, to sending SMS, to user data and etc.?
Suppose some kind of app during its work requests access to the Internet - on the screen again displays a warning requesting for the password. The correct input - access to a resource is open, the wrong - the application continues to work, but without giving him the required data.
Thanks in advance.
P.S. Sorry for my English.