We have tons of Anti-Theft apps in Android market, all of them do more or less the same thing - track and report your lost / stolen phone's location, disable features or lock the phone remotely. All of them are apps running on Android and will not function if the someone manages to flash a new ROM onto the phone.
Is there a possibility to have a real anti-theft software running in our phones? By this it means the software should not be running as an Android app, but may be on a higher level, and it should stay and run all the time irrespective of whatever a stolen phone will possibly undergo. I guess it is nearly impossible to create a software like this, unless and until there is some level of hardware support which can't be easily replaced or tampered with.
Curious to hear from the experts in this section.
I searched the forum for such a question but in vain - Mods, please move/delete this if it has been discussed in some other thread already.
Please use the Q&A Forum for questions Thanks
Moving to Q&A
Related
Hi all
I am currently in the planning stages of developing a root security system for Android.
As everyone knows, there are security implications to rooting your phone etc. Untill now, I have used the normal means of controlling this (lock security, disabling ADB, Superuser.apk whitelist), but this is of limitted help if someone physically gets hold of your phone (while unlocked or ADB enabled).
There are a few things I would like to implement, and would like to gather some feedback on whether;
a) It will be of use to anyone but me, and
b) If anyone has any input as to the feasability (or has done any such work in the past)?
There are 3 areas I would like to lock down, somehow. It will not perfect the security, but will go a long way toward improving the overall security on rooted devices. I have not done much reasearch as yet, so some of this may be impossible. These are:
1) CWM recovery: Currently, CWM (and other recovery/pre-android resources) can be used to bypass almost anything you put in place to secure your phone. I would like to implement a password/passcode on CWM to lock out unauthorised changes. My personal preference would be to store this in /data somewhere it would be removed on wipe, and leave the option to wipe without passcode (so you don't end up with a brick if you forget the password), but lock out all security-sensitive operations like flashing. That way, someone could get to recovery, but would have to wipe data to be able to do anything usefull without authorisation.
2) ADB: Currently, even if your phone is locked you can get access to everything through ADB. The only way I currently see to do anything about this is to disable ADB when you are not using it, but this is irritating when you use it as much as I do. What I would like to do instead is either force a popup from Superuser.apk to grant root every time you connect, or implement a password which must be entered on connection. Both could be problematic, but I think forcing a confirmation (or even a check if the dev is unlocked) would be most useable, but my knowledge is limitted here. It may be that neither method is practical and disabling ADB is the only practical solution.
3) Superuser.apk: Everyone knows they should have security set up on their phones and not leave it lying around unlocked, but some don't like the hassle and most will occasionally forget to lock it. I would therefore like to implement securoty on Superuser.apk to stop (at least) new apps from aquiring root. This is the least important IMHO, but would be a further step towards improving security.
So, what does everyone think?
Questions or Problems Should Not Be Posted in the Development Forum
Please Post in the Correct Forums & Read the Forum Rules
Moving to Q&A
lufc said:
Questions or Problems Should Not Be Posted in the Development Forum
Click to expand...
Click to collapse
Sorry. I posted in Dev because this is the beginning stages of some development I plan to do, but fair enough.
I can only really answer the first question... I would be interested in something like this. I've actually taken an interest in mobile security recently, but I've constrained myself to existing products like avast and PDroid to give me some extra protection. When it comes to hardening these other components... I don't know enough about stuff at that level. But I would dig it.
Things like avast handle some things, like disabling debug if you remotely lock it. But it wouldn't solve things like securing CWM if the person simply reboots into recovery.
How do you disable ADB now?
please, do it!
drmouse81
As a poor ex-owner of a lost Samsung Galaxy Ace, I would love to have a password protected CWM recovery ... this would have propably saved my device (an have back my loved photos!)
My device was operator-locked, SIM was pin protected, screen was locked by pattern ... I rang to my lost mobile, taxi driver answered ... spoke with him ... asked him to return my phone I was offering rewarding. He laughted a lot!
Yes, there are apps to locate your terminal, ring loud, etc. But none solves the basic problem of someone that wipes the phone, puts a new bootloader, etc.
Most people do not knkow that IMEI blocking only works in home country of the SIM operator.
On the other hand, there were a lot of past discussions on this topic, but many people seem not to see this as feasible.
If you find a way to solve this, I am sure you will do a lot of money with companies, who are looking for a real solution to information loss on mobile devices.
Requirements: phone should be not functional. thieves would be able to use them only for spares ...
a) require password to make changes to bootloader / wipe (that is, recovery is also blocked)
b) encryption of user data (even in SD)
c) allow to swipe a new SIM, provide pin of the SIM, then block the phone but send SMS with new number and location. Show on screen customizable message (such as -- this phone is property of xxx and has been lost/stolen -- please contact owner at xxx or hand it to police --- )
Is this possible? Why previous discussions shut off this topics?
Best luck - would love to be guinea pig for this ...
CTone.
---------- Post added at 01:00 AM ---------- Previous post was at 12:39 AM ----------
www dot cyanogenmod dot com slash blog slash security-and-you
Hi
I stopped posting here for a couple of reasons, the main one being I have been too busy. I'm still planning to take this on, but it may be a while.
The other problem is that, although it will help, it will not secure the device completely. There will always be ways around it. Manufacturer supplied tools will still bypass it.
As for your phone, did you contact the police? Knowing the taxi driver answered, they should have been able to get it back, or at least prosecute they b#####d!
Sent from my MB860 using xda premium
You actually have a really valid and practical idea...
Have nothing to contribute here, just want to encourage you...
:thumbup:
If personal life does permit you, please do consider working on this
Typed using a small touchscreen
Hi there. I just got my first smartphone a couple weeks ago and I'm loving it. Samsung Galaxy SII i777 with gingerbread. I was talking with my friend today and he told me about this site and how amazing it is so I decided to check it out! However I'm incredibly lost. I see all the posts about how to root your phone and everything that says HOW TO, but I couldn't find any "WHAT IS" threads (surprisingly not in the stickies).
So could someone do a noob a favor and explain what all these different things are? Like rooting, kernel, etc. I dont plan on using anything other than the default gingerbread/ICS any time soon, but my friend told me there are tons of good benefits behind the scenes from kernels, namely getting double the battery life I'm getting now, so I definitely want to start looking into all that -- I just need to get a foundation on what's what.
Thanks in advance for the help
Read the design section from this wikipedia article about the Android operating system for an explanation of of what the kernel is
http://en.m.wikipedia.org/wiki/Android_(operating_system)#section_2
Here is an explanation of rooting and Android phone
http://en.m.wikipedia.org/wiki/Rooting_(Android_OS)
For basic definitions of terms like this google and wikipedia are great resources, as well as the stickies posted in these forums.
Now once your learn some about this things after looking and reading you will then be able to ask more specific questions which people here are very helpful with.
However general basic questions about terms and definitions like this post will sometimes generate some not so friendly responses here.
Sent from my SGH-I777 using XDA Premium HD app
http://forum.xda-developers.com/showthread.php?t=1511999
I looked through the sticky before posting, and the wikipedia links don't answer my question. I just want to know what exactly a kernel is, the different benefits of rooting your phone, etc. Any BASIC (not overly detailed) stuff people should known when first starting to do this stuff
The FAQ had "what is rooting?" and that was it..
http://www.reddit.com/r/Android/comments/distm/allwhy_should_i_root_here_is_why/
http://www.reddit.com/r/Android/comments/dctbb/okay_so_you_rooted_this_is_what/
Will add more as I find them.
ScelestusAnimus said:
I looked through the sticky before posting, and the wikipedia links don't answer my question. I just want to know what exactly a kernel is, the different benefits of rooting your phone, etc. Any BASIC (not overly detailed) stuff people should known when first starting to do this stuff
The FAQ had "what is rooting?" and that was it..
Click to expand...
Click to collapse
The BASIC stuff you should know when starting "to do this stuff" is don't skip the details they are important and they will help keep you from making big mistakes.
The main reason/benefit that drives most average people to root their phones is to get direct access control over the /system partition and the applications installed there - to have more control over the "system apps". This allows them to debloat their device and to directly back up system apps (i.e. Titanium Backup).
Though there is allot more available to them and many different things that different people do with root. Once you have root access as the term root suggests, root gives you access to the very root partition "/" and everything below it (this means that root privileges gives you access to everything on your phone). It allows you access to troubleshooting, tweaking and theming that you would not otherwise be able to do.
Just remember the saying "with great knowledge comes great responsibly". Because once you have root access, you can then give applications that same root access - and that will allow that app free run through everything on your phone, as well as any and all accounts you have sync'd to your phone. So be careful to be stingy with what apps you allow root privileges, because if you allow a rogue or pirate app such control it could do quite allot of damage and steal quite allot from you before you ever know what happened.
As to exactly what the kernel is (summarizing part of the Wikipedia article says because it does tell you exactly what the kernel is) - the android kernel is the core of the android operating system (just like the Linux kernel is the core of the Linux OS as the android kernel is built directly from the Linux kernel). The kernel is the part of the OS that allows the user input and application inputs to interface with the hardware - it is the drivers and communication translation between the user controls/applications and the hardware it operates on.
i want to develop an application for Android Devices but there are no possible for users to remove it from phone unless a password is used?
is that even possible?
Please use the Q&A Forum for questions &
Read the Forum Rules Ref Posting
Moving to Q&A
Apps installed to /system/ can't be uninstalled I don't think, but you can I believe only move an app to /system/ on rooted phones, and I don't believe you could do it to the currently running app (i.e. an app couldn't move itself to /system/). EDIT: Of course, on rooted phones, the app could also be removed easily by any number of root tools.
I think also if an app has a service installed, it can't be removed without first disabling the service. You would have to have the app install a service, and get the user to enable it. I think this would stop the app being uninstalled unless the user disables the service (which could be done outside the app, so you can't stop it with a password or whatever).
I am not 100% certain on either of these, but I think this is right.
Anyway, presumably the reason there is not a "better" way to do what you want is to prevent hard to remove malware. (Something like what you want couldn't be removed without root if it were possible).
Hi, all.
I apologise if this is a weird/stupid question or if it's in the wrong place but I'm relatively new to Android development in general and I'm just looking to get a feel for what is possible and what isn't.
I know that the stuff regarding the secure element inside certain phones is kept on a strictly need-to-know basis and Google only lets certain people have access, but how about the apps that are running on the phone, such as Google Wallet?
What I mean is, is it possible to write an App that communicates with something like Google Wallet (not necessarily this app specifically) instead of an NFC device? At its simplest, when you pass your phone over a credit card terminal, it communicates via the NFC chip to the wallet application. What I'm looking to do is bypass that terminal and just communicate directly with the app via another app, sending the necessary commands directly. Is this possible? (If so, I'm not looking for a how-to, just if it's doable or not).
I know it might be complicated and there's a lot to learn, APDU commands and all that - that's fine, but as I said above I'm a bit of an Android n00b and I don't want to put a lot of effort into building a test app and learning all the API commands if what I want to do isn't possible.
If someone could chime in with their knowledge, I'd be very appreciative.
FYI: I work in the credit card industry, but my company doesn't deal with mobile (yet) and I'm putting the feelers out for what is and isn't possible in that area.
Thanks in advance!
Please ask questions in the Q&A forum, not development.
Thread moved.
Also, OP - this may help
https://developers.google.com/in-app-payments/docs/
Sorry, my mistake.
Also that link is about in app payments, I'm not looking into doing anything like that. Rather I need to communicate specifically with the applets that are stored on the SE within the phone. I presumed this would be through whatever app installed them (i.e. google wallet) but I feel I may be mistaken on that.
Is there a phone/android version that allows someone whos not an Android expert to actually have control over what their phones doing? Or is it just not possible nowadays for a regular person to fully control the info their phone sends?
Sorry if this sounds cynical, it really is a genuine question.
Thank you.
Hi Steve, it sounds like what you need is a rooted phone. Forgive me if you're already familiar with the term, but rooting basically gives you administrator rights over just about everything on your phone, with only a few exceptions depending on which Android version the phone is running. This allows you to do stuff like revoke permissions for apps, block ads, and change how Android looks and behaves.
Do you have a phone in mind already? If not, what's your budget?
questions should be posted in q/a Thread moved please review the rules ( located below)
rhythm_dx said:
Hi Steve, it sounds like what you need is a rooted phone. Forgive me if you're already familiar with the term, but rooting basically gives you administrator rights over just about everything on your phone, with only a few exceptions depending on which Android version the phone is running. This allows you to do stuff like revoke permissions for apps, block ads, and change how Android looks and behaves.
Do you have a phone in mind already? If not, what's your budget?
Click to expand...
Click to collapse
Thank you for your help. I had a rooted phone, but a friend did it for me. Now I have a S8 active on Pie and from my research the bootloader I have (V5) is not rootable. I'm definitely not well versed in Android though and could be wrong. That's why I was wondering if there was a device that offered full control without the need and rick of rooting. If there's not, could you suggest one that is perhaps the simplest and least risky to root? I don't need top of the line, I don't game or anything and would be fine with getting something used. thanks again!
Luckily, there is a way in stock Android to control permissions! I forgot about it when I was typing my previous response. Here's an overview: https://www.howtogeek.com/355257/can-you-control-specific-permissions-on-android/ Hope that does what you're looking for.
If you want to do more with a rooted phone like block ads, there are some that are easily rootable, like the Google Pixel series. Here are a few options: https://www.androidcentral.com/best-phone-rooting-and-modding I liked the Pixel 2XL I used through my previous job, and I've heard good things about the other Pixels, for what that's worth. I haven't tried the other phones in that link, but the OnePlus phones have an excellent reputation.
There are many other phones that have varying degrees of difficulty for rooting, but I'm not aware of any relatively recent ones not on that list that I'd consider easy to root. I've found that the best approach to finding a new phone is going to GSM Arena's Phone Finder to put on my criteria, then coming back to XDA and searching through the forums to find out whether my prospective phone of choice has root yet. As you've discovered with your S8, some phones just never get there, which is pretty frustrating.
I hope that helps! Holler if you have any other questions.
Well, that's my main issue, you can only control certain permissions there. When I click "all permissions" I can see them all, but not turn them off. It's just a bummer that one has to go thru all this rigmarole to control a device they supposedly own. I was hoping maybe someone made a device that you could control stock, but I guess that was wishful thinking. Thanks again.
SteveJustSteve said:
Is there a phone/android version that allows someone whos not an Android expert to actually have control over what their phones doing? Or is it just not possible nowadays for a regular person to fully control the info their phone sends?
Sorry if this sounds cynical, it really is a genuine question.
Thank you.
Click to expand...
Click to collapse
You must distinguish between Android OS itself and the apps that run on it: Android OS has no permissions you can invoke/revoke, only hardware/OS specific settings can be made there, but permissions can be granted/withdrawn from an app - if its developer has allowed the latter. To change the permissions of an app basically no rooted Android is required, this is done either via Android->Settings or via a 3rd-party APK editor.
BTW: It exist 3rd-party apps that can show you what apps are sending/receiving data over Internet.
Hint: Use your Android phone without Google.
Is root required to disable hardware?
SteveJustSteve said:
Is root required to disable hardware?
Click to expand...
Click to collapse
No, only a hammer. :laugh: