I am making a secure application which should not run if the mobile device is stolen/lost, or the sim card is changed. If I programatically uninstall my app it prompts user whether she wants to uninstall it or not. I want this thing in a hidden way.
One more thing is to keep a file in assets/raw folder and when sim card is changed i must remove that file and my app will not run without that file. But deleting the files from both folders is not possible on run time.
All suggestions highly appreciated!
I know about password protection, cryptography, Pro-Guard, Dex-Guard, keep minimum functionality on phone. Guys I must need a way to remove the App! Please help on that point
Thankx in advance!
One more secure solution is to run your app on some Android x86 servers and to pipe in only the user interface to the phone.
Disclaimer: I've never used those guys, so I don't know how good they are. I just saw their lightning talk presentation at the most recent AnDevCon in San Francisco, and I just thought it was a clever idea.
One added advantage that this solution provides is that your employee's personal content doesn't get mixed in with the content of your company's. In hindsight, it's an old solution that has worked quite well for PCs and remote workers.
I'm not sure if this is exactly what you are asking for, but it may address your concerns. In general, the big concern with a stolen phone would be data. If you are concerned about someone else running your application, it seems that authentication should address that. A secondary concern is that someone could de-compile your code to learn details that could lead to exploitation. So here are 2 suggestions that address these concerns.
Use Progaurd to obfuscate your code. That way if the device is rooted and the APK is obtained, it cannot be de-complied (at least not into easily understandable code). Reference.
If you store any data in a database on the device, be sure to encrypt it. SQLCipher is a free library that will allow you to do so. Reference.
Answering some other interesting comments I was pinged about:
A couple of things:
I am that guy who gave the lightning talk in AnDevCon Stephan Branczyk mentioned, but I'm not a heavy stackoverflow user so I do not have the privilege to reply. 50 Upvotes for this comment and I may be able to answer inline :)
I will however give my insights on this, so if you are "paranoid" about security and want to read more about it from the founder of a "paranoid security vendor" - you can continue reading it.
Otherwise goto 7.
It is very important to understand that there is no catch-all solution - so do not be naive about it. All Android security best practices are great - but up to some point, as your Operating System (ROM, MOD,...) can, and will be compromised. I do not want anyone to panic - but there is NO perfect solution.
Stephan is right about Nubo's security design concept - if you violate the terms - your are out of the game. If you're out of network, or doing something suspicious - well - the device is not in control, no matter what. We aim towards satisfying both the user in their personal space, and the IT managers in the remote Android space.
It is very important for me to say clarify it is NOT a remote desktop. It's not even close to it - we have developed a Display protocol for Android from scratch - intended for the mobile environment. This is nothing like Remote Desktop/X11/VNC/... for "PC".
Should you need a "perfect" solution, you need to have a "trusted" device, which involves hard-core hardware support + secure bootloader + block verification chains etc. You can learn from the ChromeOS project if you are interested but I assume you are not willing to take it that far.
Answering the original answer: It depends on what phone. If you want
to use the PackageManager - you need your app to have a System
certificate, which means that unless you bundle it with your own
device, or do other tricky stuff I will not get into in this post -
you can't. What you can do is to use the BIND_DEVICE_ADMIN permission in your manifest,
and essentially register your app as an administrator (Something like MDM, etc.). Then, with some more trickery stuff you can handle your problem on the nominal case. You could bundle another app with that capability, and just invoke it from your app if you want to be on the very safe side.
*This post is already way too long and referring to too many questions so if you have further questions please go ahead and ask. I will try to reply before 2014...
step 1 : write a process to run in background
step 2 : make the process be active when cell starts
step 3 : check for internet connection or balance
step 4 : if internet available mail yourself phone specific details like IMEI ,MAC ,IP whatever you think is important ,
step 5 : locating GPS location would be very helpful
step 7 : recieve these mails from the mail id registered in your app
Related
I made a Java (on IntelliJ IDEA) application and I want to give it to someone via USB or Dropbox.
However I don't want him to give it to someone else, like you know, he downloaded the file, so he can copy/paste it to his USB and give it to more people.
Is there any way to prevent the application from being copied after I give him the application? At first I thought of making a login window, but then I thought "hey, if he knows the password to login to application, he can just give the application to someone and give him the password as well", so login window is not an option (I think?). Can I disable the copy/cut functions with If statements after being copied once?
Or I can only prevent it by linking my application with a database and generating unique passwords to activate my application? Like for example, someone requested to use my application, so I will give him the application but he won't be able to run it. Then I generate a password and sent him the password. However that password can only be used once so if he will try to use the same password on 2 different PCs, it will give him an error. Is there any guide/tutorial/tips of making something like that on Java?
You could create some kind of "activation code" for your software that is generated based on some information about the hardware it's running on. I've seen some people using, for example, the MAC address, that you can obtain in a platform-independent way in Java.
However, keep in mind that those techniques will only work against the most basic users. MAC addresses can be easily changed by anyone that knows how to use Google and even if you use something incredibly complicated instead of MAC addresses, Java programs are dead simple to decompile and once the attacker knows what function is checking if the program is correctly activated, he/she can easily replace it. Yes, you can obfuscate your bytecode, but it only makes the task a little harder, not impossible.
You can do what you suggested and use passwords that can only be used once, but then your program needs to know that it has been activated, by storing that information somewhere (a file or something like that). And once the user knows where that information is stored, it can be replicated on other computers.
Unfortunately, once the user has your program, you have no control over what he/she can do. You can make sure that the user is not going to do stuff he/she is not supposed to do with your program by not giving him/her the program at all. You can, for example, expose your program's features through the web. But, as you said, nothing stops an user from sharing login credentials with another person. Yes, you could check if the user is accessing the page from a different IP address, but then a legitimate user could have problems when, for example, accessing your program from a different wifi network. And in this case, your protection not only fails in solving the problem, but also becomes annoying to a honest user.
In summary, brilliant engineers at huge software companies have been working on protections for their software for years and I'm yet to see a software that cannot be illegally activated given enough time and effort.
I'm not sure if this question is entirely appropriate for SO but it seemed to work better here than in SuperUser so apologies if its in the wrong place. Happy to move it if so.
I'm trying to figure out how I'd automate the input of data into a system that didn't accept data uploads, but rather used forms put up on a screen. Use cases are e.g. where an enterprise wide system does accept uploads but the user lacks admin rights to fill in data she is required to populate, or with very old and specialized legacy systems where the functionality just doesn't exist and a serial input-review-rollback-commit cycle is enforced.
I'm not a programmer by trade so this is partly thought experiment but also to answer a question that has arisen at a business that I'm involved in.
I'm reasonably familiar with python and java if libraries for keyboard emulation exist but would be happy interpreting a pseudo code response too.
Responses that point to existing providers of such functionality that is embeddable or that tell me if I'm barking up the wrong tree also gratefully accepted.
Once again apologies as I know this isnt intuitively the best spot for this. Please do point me to a better location if you know of one.
Thanks
Possible solutions exist but they're all pretty bad
Is it a desktop application or a web application? If it's a web application you can use ghost.py to automate the interaction and submission of new records/entries. This work will be a glorious bundle of fun for the lucky code jockey who draws the short straw.
If it's a desktop application, it will be a great deal more difficult. Is it on Windows? Linux? MacOSX? Is the software written in Java? Using the Swing toolkit? AWT? SWT?
If it is a native Windows application you might be able to use Autohotkey to automate desktop interaction. This can be as basic as automatic clicks in pre-recorded parts of the screen, automating TAB keypresses to move around the input cells and reading input text from a data file and writing that out into the input cells. This will be even more entertaining than the web-solution mentioned earlier: truly the necessary ingredients for an authentic war story worthy of the annals of internet lore.
This is likely to be a lot of intricate work, error-prone, and subject to failure in the future if the UI of the software is changed; and such changes are very likely. It would be a lot easier to help if you could add more detail to the question.
Before embarking down this road, if I were you I would beg and plead with the software vendor to either provide me with an upload API; I would even offer to pay the vendor to upload my data for me. I cannot imagine either of the solutions I mentioned will be any cheaper, unless the work time of your developers has no value.
Good luck.
I have a serial to USB device and more than one of those can be connected to the computer. I need to query and retrieve a list of COM ports that the devices are connected to. In Windows Device Manager you can get the COM port + friendly name of devices that are connected at the present time. This list is dynamic.
Reading from the registry did not work because the information stored is stale and static, not dynamic.
Devcon (from Microsoft) does list the ports that devices are connected to, but it cannot be used in my app because it is not re-distributable.
Any ideas or preferably, a solution?
I had to solve a similar issue just some weeks ago. I came accross the Jawin-Project that provided everything you need to use WMI-Queries. It is already quite old but works like a charm if you follow the documentation. A nice German walkthrough can be found codegods blog.
For me, it did not solve all problems (I had some very specific things to find out about the target device), I finally created an own JNI (Java Native Interface) Class and DLL in C incorporating the windows API.
I hope this is what you searched for.
Did you try this jUSB API or This example ?
I hope this will help you.
Use JNA (https://github.com/twall/jna) and take a look at the following page. It might be a useful point to start from.
http://www.digitalinferno.com/wiki/Wiki.jsp?page=JNAPrintDevices
I am looking at Java Native Access as it provides access to the windows API from pure Java code - no JNI to deal with. I was concerned about the LGPL license; whether it can be included in a commercial product but from what a few posts in the newsgroup say, it can be.
After I try it out in the next few weeks, I shall post back here.
I am writing a plugin for the popular Minecraft server software, Bukkit.
My plugin will require sending player scores to my server, to work out a global leaderboard.
Seeing as Java can be decompiled, someone can decompile the plugin, and find out how it works (It's open source anyway). I am looking for a method of sending data to my server (player scores), in such a way so it can not be spoofed, and the leaderboards cannot be rigged.
I was considering making the plugin's users (server owners) sign up to the leaderboards site, and then use their own username/password combination to connect to my leaderboards. If it was abused, I could simply block that server from the leaderboards. This is not the most efficient method however, as I would have to administrate the joins and approve the amount of kills.
How would I go about making sure the client (Bukkit Server Plugin) can't spoof kills?
If your concern is that a legitimate user is educated enough to decompile your jar, understand your code and figure out how to send wrong data from your plugin, authentication methods are of no use (the user is already legitimate) and I assume the logic that calculates what you want can not reside in the server. In this case your best option would be to obfuscate your code
Making it open source is what's stopping you. If it was closed source you could obfuscate your jar and it would be much harder to decompile your code.
If you still want it to be open source, you could keep an eye on rapidly growing servers or very high scored servers. But like you said, that's very inefficient.
Post on the Bukkit forums, they might have a better answer for you.
My boss has asked me to implement a project that includes writing a "mobile code" using java programing language. This code will be transferred on the network of nodes ,going from the source code node to other nodes, and at a point returning to it with certain information.
Since its the first time somebody asks me to implement a networking project ..i have no idea what "mobile codes " are.
So i tried to do a lil research and it turned out that "mobile code is software transferred between systems, e.g. transferred across a network or via a USB flash drive, and executed on a local system without explicit installation or execution by the recipient." (from wikipedia)
however i couldnt find anything useful related to mobile codes transferred on the network that explains them in details and that gives open source examples so i know what kind of programming i will be doing.
all im asking for is to give me resources ( urls, books, .. ) just anything that i could read, understand and build upon.. because at this point, all i know about mobile codes are the definition i pasted above !! thank you :)))
PS: please let the resources u;ll be giving me be specific to the project i have to implement.
lookin forward for you replies :)
Assuming I understand your boss, what he wants are "agents". There are several libraries to make writing agents easier.
IBM's aglets
JADE (Java Agent DEvelopment Framework)
JavaTM
Did you ever see The Matrix? The description Morpheus gives Neo for "agents" describes software agents much more closely than it does government agents.
I am sure JADE is active, but not very sure if Aglets are still maintained.