[Q] Low level Application Authentication (like JAAS) - Android Q&A, Help & Troubleshooting

Hi,
I'm looking for a way to add authentication to android application, a bit like JAAS on standard Java VM.
With JAAS, there is a login module which is not included in the application but called by the VM (not explicitely by the application) when it is required (start screen or when session ends or accessing screens, resources, ...)
One of the purpose of this is to keep application code agnostic of authentication, autorisation, ...
From what I've read on android and Dalvik so far there is nothing in this range and I'm a bit surprised. Am I wrong ? Are there anything I haven't seen ?

Related

[Q] Phone Audit with desktop application

If anyone is familiar with Speccy for the PC they know more or less what I am looking for.
I am looking for an app that does a thorough audit of a phone (Android platform) but not only displays it on the phone (plenty of apps do that). Id want it to export the audit to a file that can then be opened on a desktop application with a easier to navigate and study interface.
Currently like I said there is a number of applications that can do part of this as an added feature, but I have not seen any dedicated app to do an audit of the phone, things from programs, spaced used, network, hardware, permissions for particular programs, etc. Id like it to be as thorough as possible, but to be viewable in a reasonably ok interface on a desktop.
Browser maybe preferably for the linux and iOS users so that it isn't tied down to one Operating system.
Any ideas of something like this, or anyone working on something similar?
sorry for reviving this thread but I'm interested as well.

how to create a communication system between an android and other asp.net

Guys, good afternoon.
I'm doing a project where I need a web system, done in ASP.NET, to communicate with an android system.
Thus, the two systems will use the same database.
I came to find out about WEBSERVER, but I found this on a forum that left me a little confused:
"It is worth noting that the consumption of Web services on mobile devices is not recommended by the Android development team due to the processing overhead of SOAP calls. If you have control over the server, the ideal is to use REST-based architectures such as OData . "
It is not recommended to use webserver in android?
How then can I do to create that communication between the two systems?
Now appreciate everyone's help.

[Q] Multi user handling in Android on platform level

Hello,
as anyone information how the multi user environment that is available in Android 4.4 (and earlier) is implemented
in the Android platform ?
I would like to use different users to start processes or apps on an Android device. Based on the
user that has started a process I want to define iptables entries to route resulting IP traffic over a specifc IP interface.
I wondering if it is possible to start an app as a different user than the user logged in to the Android GUI.
One thing I noticed is that when I switch the user on the Android GUI I am always disconnected from my ADB shell. So it seems
that some processes are killed when the user is changed. So at first I want to get some better understanding how the
multi user environment is implemented in Android.
Thanks,
Ralf

[Q] Context Simulation: Decision Help

Hello together,
I`m writing currently my master thesis with the topic "Context Simulator For Mobile Business Application". The goal is, to test how an Android application reacts during changing context conditions: How reacts an application, if the battery is almost empty? How reacts an application, if internet connection breaks down during data transmission? How reacts an application, if a SD-Card is available/not available? ...
I want to simulate all of these factors on the PC and send the data to my android device. Some more examples:
- Simulating sensor data for accelerometer, gyroscope, ...
- GPS
- Camera and microphone (if an application requests a camera image, it should receive a image from my simulator)
- Fake connection for Wi-Fi, HDSPA, EDGE
- Fake time, time zone and date
- Simulate a specific battery level
- Fake calendar entries
------------------ My approaches ------------------
No 1:
Extend an existing custom rom with my features => Some calls should not transfer to OS (example: GPS) but to my simulator on PC. Also send data (example: battery level) to android OS. For example to pretend a low battery level.
No 2:
Write my own sandbox application (I haven`t found information to this topic so far). In this sandbox application, I`m going to start my application to test. So it is possible, to fetch all request from this System under test and I can decide if I want to transfer them to Android OS or to my simulator.
No 3:
Develop my own library, which will be included from my system under test. This library extends some android classes (e.g. Activity, Location Manager, Sensor Manager). My extensions classes will transmit the request to my simulator instead to the OS.
I`m afraid, I only have limited functionalities when I`m using this approach.
No 4:
Take sensor simulator from open intents as basic and extend it as good as possible.
-------- About Me --------
I only have few experience in Android development, but a lot experience in Java development. I know, I should read now a lot about custom roms, ... Unfortunately this thesis should be finish at the end of march.
------- What I want from you -------
Advice. I hope you understand my problem. Which is the best way to realize this project? I would like to have as much functionalities as possible. My prototype doesn`t need to support all context factors, but I should consider all factors in my system design.
I wanted to attached two graphics, but unfortunately I`m not allowed to. These are two possibilities and I`m not sure, which one is better (and also, if they are possible):
http ://s7.directupload.net/images/131212/bnpuo8gh.png
http ://s7.directupload.net/images/131212/e7u8dv4r.png
Thanks a lot,
Michael

MITM https on Android apps fail in some sessions

Hi,
Been doing some research and somehow some applications do not let me see traffic, even if I change the hardcoded baseurl or endpoint. In mitmproxy It always give me ;
Client Handshake failed. The client may not trust the proxy's certificate for domain.zyx.
<and some hex dump here \x00\x00\x00\x00\ ..>
While other applications do not check this and traffic flows through my mitmproxy. Yes I am running it as transparent mode. In regular mode it does the same but it shows no error, just nothing.
So the variable here is the apk built settings or a import like;
import java.security.cert.Certificate;
?
When I just toss it a test application and my domain with Let's Encrypt it works, so this is not the issue. (Yes the certs of the proxy are installed on the end device).
edit: Digging deeper into the rabbit hole.. okhttp3 seems to be the issue here, it's mitm security prevents it.
Solution seems to be'; https://github.com/ac-pm/SSLUnpinning_Xposed
Any ideas?
Look into frida, it lets you hook any function. So you can bypass cert pinning by hooking certain function.
An app built on top of frida may already help you, try out objection.
https://github.com/sensepost/objection

Categories

Resources