I am working on a research project to look at malware and how to prevent it on Android. I am modifying the OS to allow my system service to record any app's attempt to access a file and report that up to a system service which will decide to grant access. I have the system service running on Android 7.1 and but I can't call the service manager which is in the android.os package in frameworks and the class I want to call from is in the java.io package in libcore-ojluni. I have the modification in java.io.FileOutputStream.java.
When I try to compile Android it gives me the error: "Package android.os does not exist"
I am thinking of using sockets to communicate to the service but that seems to slow as I would like a response before allowing access, and I don't want the process to hang.
Is there a way to include the package that I need? Is that even a good idea?
I haven't tried native services. I wanted to ask here before I try that. Is communicating up the Android OS Stack not doable?
Related
I want to read an Application Specific file stored in /data/data/package_name location for X package, I've found that Android JAVA provides functionalities to read Application Specific directories and files (refer doc), so I was thinking can I inject JAVA code using frida to retrieve/read file contents (example)? I don't have root access on my device.
If you don't have root access on your phone you can not use Frida to hook arbitrary apps. Frida requires frida-server which has to be started with root permissions to be able to inject code into apps.
But on a rooted device you can simply execute su and directly get access to the app-private file in /data/data/<package name>/.
The only way to inject code into an app on a non-rooted device is to modify the APK files before installation and inject frida-gdget-server into the app and force it to be executed when the app starts.
After modifying the APK you have to re-sign it with a different signature so the app can not be installed as update to the original unmodified app because of the different signature.
But if you have already modified the app you could have also modified the debuggable flag to give you full access using run-as via adb.
Conclusion: No matter what you do using Frida to get access to app-private files does not make sense.
When developing a Java EE 7 webapp (Win8, eclipse Kepler, JBoss Tools 4.1.1, wildfly8.0CR) I can use the application at localhost:8080/app/
But I wonder what to do, if I want an extern access to that app, e.g. from my other PC. What configuration is needed, or do you need a "real" server for such a purpose?
Thanks in advance
How public to you want your website to be?
If you want to access it from another computer on the same network(for example your home network) you need to adjust your network and firewall settings so that that you would have access from one computer to anoher on the same network. Then if on the computer that contains the app you would access it for example http://localhost:8080/myapp then on another network you would access it http://ip-of-the-comuter-that-contains-the-app:8080/.
If you would like to access it from outside the local network then the process is same, but a static IP would be recommended to the computer that contains the app.
If you would like the general public to use the app, then hosting it from your PC may not be such a good idea and somekind of server solution is adviseable. There are lots of different cloud solutions like http://aws.amazon.com/ec2/ or https://developers.google.com/appengine/ that would provide enough flexibility for majority of apps. Or you could ofcourse have your own server hardware, but this can turn out to be much more expensive to keep stable and secure.
For a quick-and-dirty solution you can choose the "Enable remote access" option on the server (double click the server, and you should see a check box in the server editor).
This will tell the server to start listening on all network interfaces and not just the local one.
btw. we only listen on local network interface by default for security reasons since we don't want you to unintentionally get hacked if a vulnerability is found and used by someone malicious.
I have a web application running with support for some specific pieces of hardware. This is achieved in the following steps:
User runs a small installer that places java files (and a couple
others) on the client machine. The main piece is a jar called "hardwareManager"
User visits web app. The web app runs a java applet which, due to
a .java.policy file placed during the install, has permission to
interact with the client machine outside the browser sandbox.
The applet checks to make sure the hardwareManager is running,
and if not runs a command to start it.
User interacts with the web app which sends commands to the applet via
javascript. The applet then writes commands to a text file
on the client machine. The text file is constantly monitored by the
hardwareManager which runs any commands it reads in.
This works, but seems clunky. I have a couple ideas on how to improve it, but I don't know which, if any, are even worth trying.
Would it be better to set up the hardwareManager as a socketServer and have the applet connect directly to it, rather than going through text files? Is that even possible?
Is there a way to eliminate the applet altogether and have the javascript talk directly to the hardwareManager? Maybe by writing the hardwareManager to be a local http server? What port should it run on? Do javascript xss limitations fit in here somewhere?
It would be less clunky to start the Java application using Java Web Start. This would remove the need to daemonize or install the Java hardware manager.
Another alternative is to use a built-in browser inside Java. I supose this is not an option, since you depend heavily on Javascript (I suppose to provide a rich client experience).
If you already have to install something on the client machine, why did you make the choice to go with a web application?
Talking from experience: We had a Java EE application which needed to print to PoS printers at the client site. We installed a small "synchronizer" application that connects through SSH and synchronizes all clients files. Afterwards, it loads the JAR and executes the program. This program connects through RMI with the server and subscribes to a JMS queue to receive the print assignments.
Applied to your case: Why not let your Java application connect to the server directly? You can use HTTP, SOAP or even JMS over RMI. You can then launch the hardware command from the server (instead of from the limited JavaScript webbrowser environment). This way, you get tons of features: authentication, buffering of commands, and you can even share hardware between multiple clients.
Schematic:
<----AJAX------> Web browser
ApplicationServer
<---HTTP/SOAP--> Java hardware manager application
You can launch the Java application using Java Web Start, which allows you to update the application automatically (instead of needing to pass every client a new installer).
I'd like to create a service where people can enter external websites, after which the returned source will be modified by my application (for whatever purpose) and then returned to the user.
One would normally redirect all traffic through the server, so that the server is the one accessing the external source. This is because HTML5 and flash sockets cannot access external sources unless the external source has the required policy files (please correct me if this is false). Even if the user wants the client to, it still can't access these external sources if the external source itself does not have such policy file.
My question is: can a Java applet access an external source regardless of it's policy file, if the user allows it to? How is this usually done?
If not, is there anything else I can try? Redirecting all traffic through my server is not an option because of 1. high use of bandwidth and server resources for a free service and 2. a high chance of my server being marked as a spam bot or bandwidth hogger.
Thanks in advance.
Regards,
Tom
If choice of technology is not a problem you can use a Java Web start application.
Your application will be launched from a web page (if that is what you want)
After user-confirmation your application can do everything (similar to native apps)
I have actually done this with a Java web start application that used web services from servers other than the one it was launched from.
I am trying to build a google app engine app in Java. The app is trying to get information from another site. On my computer I am behind a firewall and need to connect to the site through a proxy. Google app engine does not allow the use of java.net.proxy. Is there a way to configure eclipse so it knows that when I use URL.getContent() my local host will connect to that url through a proxy??
Look at this thread issue, there's a patched jar that allows you to connect through a Proxy.
It seems there's no way to do this, at least with current release of the SDK. I've gone through suffering from this problem.
The workaround is to make your system inherently aware of proxy. For example, use VPN, or use iptables to configure your proxy on Linux system.
It seems when your use normal way to specify a proxy as with other Java application it will invoke a class not in the JRE white list of GAE/J.