Just a quick question as Google isn't throwing up much.
Is it possible to create a VPN connection using native code in
Android?
And if so does the VPN offer support for keep alives?
I believe it would be more of a permissions issue than of an exposed or not exposed issue. Most VPN connections would need you to modify and access the network filtering calls of your kernel. Since your app should really be operating in it's own sandbox this is something I would doubt is exposed by default (to apps at least) since you would essentially be modifying the way the entire OS routes network traffic. For the same reason that in order to modify iptables in the OS, it needs to be rooted so that your app can actually alter such things. At that point I would assume the connection would be made similar to any other vpn connection in any other linux os (via an ipsec daemon or some proxy dameon that you create), but the calling entity would need the actual access level necessary to complete the call to the kernel.
Rooting of the device is needed for creating a VPN connection. We need access to /data/misc/keystore and /data/misc/vpn/profiles in our programm.
Related
i have a question in android documentation it is mentioned that android process can communicate using local sockets. does it mean that two applications with different user id can communicate using local sockets and by that "bypass" the sandbox?
It is indeed possible to do IPC using local sockets on Android, see LocalSocketServer and LocalSocket classes. These translate to UNIX sockets in the abstract namespace.
A word of warning though: Samsung has started restricting local socket use in certain cases through SELinux in their latest firmwares (unfortunately they do not use the same policies as AOSP). I'm not completely clear on the details, but I have seen instances where SELinux blocked the local socket from connecting on these firmwares. Probably depends on the SELinux context of the different processes trying to use the local socket not matching. Be sure to test that if you end up going this route.
This is going to sound strange, and please don't judge the impracticality of doing something like this, but I need to add support for controlling out bound network traffic from an Android device. Doesn't have to be selective. I basically need to put the device in a mode where out bound communication is silenced over WIFI. (primarily) The reason for this is I have a networked application that's remotely controlled and I need to be able to put it to "communication sleep" on-demand and then "wake it up" after a period of time, or on-demand. The on-demand aspect is controlled remotely. Hence the need to put the device in a state where it'll only accept in bound communication.
I'm primarily interested in TCP/UDP blocking of out bound traffic. I'm not interested in a separate firewall app. My application includes a service that's already implementing all the communication code required. I just need some suggestions on how to control out bound communication.
FYI, I have a mix of 2.3 and 4.0 devices to work with.
Could I have my service implement some basic firewall support? Maybe a simple proxy that the device is configured to use? (similar to the Ad Block app)
Thanks in advance for any suggestions. If it's at all possible, I'll try to share the code for it here.
UPDATE: Sorry, I have and require root on these devices anyways.
On the proxy idea, really I just need a black hole listening on a port. If I can set the system proxy settings from my app, when the out bound communication needs to be disabled, I can enable the proxy and drop all connections.
If I can't set the system proxy settings, I'll have to implement a working proxy, require the user configure the proxy, and control it's behavior accordingly when connections are received.
I might as well answer my own question. With root you can include iptables and make some command line calls to control the traffic flow. Note that you should have some experience with stateful firewall concepts, as mucking with outbound DENYs will lead you to confusion unless you know exactly what the system/app is supposed to do. (random response ports, etc...)
A proxy service would work for Android devices and versions which allow for network proxy support. Unfortunately not all my devices allow for it. (my Ginger Bread devices don't have proxy support, it's just not present in the UI, and the API is read only for the HTTP_PROXY System setting)
So there's no example code to offer. I'm playing with iptables on my devices. I'll likely include it in my application, which requires root anyways.
How do we make handheld devices secure to login to a domain (mobile device management)? For example: if you have a laptop or if you are working from home using a desktop, you do a VPN and connect to your company’s domain. Once you connect, only then you can access your work email, share point sites, timesheets, etc. So instead of laptops and desktops, how do we create/develop an app on mobile devices which can ensure 100% security to the environment which we are connecting to.i dont have any idea regaring this.Anybody know, just help me.
The problem is essentially establishing a VPN tunnel. The issue with that is that Android does not support the Cisco protocol/extensions out-of-the-box. Cisco have released versions of AnyConnect for phone brands (different kernels, with/without tun.ko, etc.) but that means your users would have to manually connect to the VPN first. You really do not want to implement your own VPN. In fact, you don't want to implement any cryptography whatsoever, since you are guaranteed to get it wrong.
Unfortunately, there's little automation that could be done without root access or support from Cisco (e.g., hooks to start connecting via an external intent). Given root access, you could just run the command-line openvpn tool with a pre-configured config and establish a VPN tunnel to your facilities. This is not an entirely brilliant idea but at least you're not dealing with crypto directly (just kernel versions, tun/tap.ko modules, etc.). The upside of OpenVPN is the granularity of control. The downside of OpenVPN is the granularity of control, i.e. setting up CAs, Server/Client certificate pairs, etc (which you'll need if you're at all serious about doing this on a large scale).
Of course, the easiest solution, if starting completely from scratch, would be to use Android's built-in VPN support. However, that's limited to a subset of L2TP/IPSec, which are not trivial to set up or that widely deployed.
Once the tunnel is established, the rest is just access to the local network.
I have implemented an Android application which connects to its application server via a VPN tunnel. Thats fine.
However I want that the application turn on the Android VPN service itself ,rather than I am turning on the VPN on Android manually.
Is it possible to turn on this from java source code, like
// TO DO
if (something) {
VPN ON
}
Currently it's not possible to do that. Event with the latest classes in Android 4.0, User action is required to create a VPN connection. It's considered a security issue to be able progrmmatically to establish vpn connection (e.g. without the user to notice).
It is not possible to turn off the VPN from Java source code, unless the device is rooted, then there some hacks around. (so I have been told being an Android developer for a major software company) It is almost possible to do but it will take writing something in Native Code. There are some companies that are currently attempting to do this in an SDK. Authentec is one, but even in there SDK it is not possible to shut off the VPN connection yet. I came here looking to see if anyone has done this before but I know it is not possible through Java code, it will have to be in Native Code ( C for simpletons like myself)
This is specific to Android 3.0/3.1 In order to implement a cloud security layer, I would like to reroute all IP traffic destined for certain ports through my custom cloud server which would then serve up the required pages if they don't pose any threat.
The reasons I would like to do this are:
1. The applications running on Android would still continue their interaction with regular requests and wouldn't require any modifications
2. Better security. It should not be possible for a user to disable/block my reroute service. Hiding my implementation in the network layer would make it difficult for users to tamper with it.
I would like to know if this procedure is possible at all. If so, what is the best implementation procedure. If not, does anyone have a suggestion on any alternate methodologies.
The applications running on Android would still continue their interaction with regular requests and wouldn't require any modifications
This is only possible if you root your phone (or create your own firmware, which probably involves rooting the phone to deploy it). For example, Orbot, which is an implementation of the Tor proxy for Android, needs root in order to transparently pass all TCP requests through its proxy.
It should not be possible for a user to disable/block my reroute service.
The only way to do that is by making your own firmware.
Allowing ordinary SDK applications to do anything of what you request would be a massive security hole.
You need to set up ip table rules which needs root.
As for not being able to disable your service, that is not possible, but the user will also require root to change these rules.