I'm a major in network security at the moment, and as I've been studying ROM development and the ways that OTAs work, I've come across a method of forcing an OTA that I don't believe I've heard done before. That is, spoofing a web location on a network, and placing a system image in the location. This can be achieved using a typical man-in-middle exploit(of course legally, and under a controlled/private environment).
What I'm curious to however is whether or not Android does a more extensive location check; e.g. if Android checks for SSL/Verification on the location before initiating a download? Would this only work with a system OTA image? What are possible system implications that could prevent this from being achieved?
Thanks in advanced for any answers you may have. I'll be posting further papers and research if I find definitive answers and methods.
Reserved.
Bump reason: I'd really like to know the answer. I haven't been able to find anything conclusive.
You are better off looking in the dedicated security section.
zelendel said:
You are better off looking in the dedicated security section.
Click to expand...
Click to collapse
Sorry, I hadn't realised that this would fit in their. Would it be possible to move it there by any chance?
have you found a way to bypass the need to sign with google's or the oem's keys?
Related
Hi, all.
I apologise if this is a weird/stupid question or if it's in the wrong place but I'm relatively new to Android development in general and I'm just looking to get a feel for what is possible and what isn't.
I know that the stuff regarding the secure element inside certain phones is kept on a strictly need-to-know basis and Google only lets certain people have access, but how about the apps that are running on the phone, such as Google Wallet?
What I mean is, is it possible to write an App that communicates with something like Google Wallet (not necessarily this app specifically) instead of an NFC device? At its simplest, when you pass your phone over a credit card terminal, it communicates via the NFC chip to the wallet application. What I'm looking to do is bypass that terminal and just communicate directly with the app via another app, sending the necessary commands directly. Is this possible? (If so, I'm not looking for a how-to, just if it's doable or not).
I know it might be complicated and there's a lot to learn, APDU commands and all that - that's fine, but as I said above I'm a bit of an Android n00b and I don't want to put a lot of effort into building a test app and learning all the API commands if what I want to do isn't possible.
If someone could chime in with their knowledge, I'd be very appreciative.
FYI: I work in the credit card industry, but my company doesn't deal with mobile (yet) and I'm putting the feelers out for what is and isn't possible in that area.
Thanks in advance!
Please ask questions in the Q&A forum, not development.
Thread moved.
Also, OP - this may help
https://developers.google.com/in-app-payments/docs/
Sorry, my mistake.
Also that link is about in app payments, I'm not looking into doing anything like that. Rather I need to communicate specifically with the applets that are stored on the SE within the phone. I presumed this would be through whatever app installed them (i.e. google wallet) but I feel I may be mistaken on that.
Wanted to start a thread on this subject as I have yet to see anything regarding AfW anywhere in these threads.
Does anyone have any information on how the o/s will handle securely wrapping applications and how the o/s creates a second partition/perimeter that is secured from the personal side?
Google Android For Work if you haven't heard about it.
I'm wondering if a rooted device would be able to trick the MDM protected work perimeter to think it has a secure bootrom, recovery partition and valid o/s?
Anyone have a picture of what the filesystem difference looks like?
There's such little information on this, yet it was released with 5.0 lollipop and I'm sure if we reverse engineer the way it functions we could create our own pki enabled MDM open source solution. This would allow end users to freely use there phone without the fear of being snooped on by viruses, corporations for marketing purposes, etc. Overall an open source Mobile Iron solution is what I'm getting to.
Let me know what you guys think.
I am looking to move to an android phone and I need one that has the ability to have restricted accounts, similar to what was introduced on tablets with 4.2 or what iphones have, where you have a password protected way of enabling or disabling different applications. I have seen a program called applock on Android that attempted this, but it had a severe flaw that made it easy to bypass. Is anyone aware of a custom rom that enables this, or perhaps a modification to build.prop that would enable it?
webbwbb said:
I am looking to move to an android phone and I need one that has the ability to have restricted accounts, similar to what was introduced on tablets with 4.2 or what iphones have, where you have a password protected way of enabling or disabling different applications. I have seen a program called applock on Android that attempted this, but it had a severe flaw that made it easy to bypass. Is anyone aware of a custom rom that enables this, or perhaps a modification to build.prop that would enable it?
Click to expand...
Click to collapse
Try MIUI ROM.
randomx1 said:
Try MIUI ROM.
Click to expand...
Click to collapse
Does it allow you to disable things like the play store and system browser? I am trying to get a good, child proofed phone.
Hi guys, not sure if this is the right place to do this but i've got a question i hope i can get clarified here with you experts
I am a PM that is in charge of a managing the delivery and development of a business's mobile application. Recently the company is looking to get rid of the incumbent developer due to unprofessional-ism and exorbitant fees. The other technology partner i am directly engaging with is a newly appointed development house and is tasked to clone the app and add additional features the incumbent refuses to add on.
Come launch date, the business requires the new app to replace the old app. To the existing customer base, the goal is to ensure that the transition is as seamless as possible. They are hoping that when existing users open the app, they will be prompted to install an update where the old one is then replaced with the old one. As such, is it possible for the new technology partners to this? What are the necessary steps required? I am trying to ensure that all necessary precautions and dependencies are covered to ensure any potential backlash / fallout. Is it as simple as obtaining the app certificate and ensuring the apk is named exactly the same? Any advice would be helpful.
The worst case scenario here would be to get the users to reinstall the app entirely or treat it as a completely separate app. :crying:
You need the signature keys of your first developer to sign the new APK which needs to have the same package name. And access to the dev console. Then you can upload the new app which will be treated as every other update by Google Play. Without changing the first app you won't be able to force the users to update AFAIK.
Fellhuhn said:
You need the signature keys of your first developer to sign the new APK which needs to have the same package name. And access to the dev console. Then you can upload the new app which will be treated as every other update by Google Play. Without changing the first app you won't be able to force the users to update AFAIK.
Click to expand...
Click to collapse
Hi thanks for the reply. Much appreciated! Would this be similar for iOS as well?
Relating to the last statement. What do you mean by "without changing the first app.."
androFRUST said:
Hi thanks for the reply. Much appreciated! Would this be similar for iOS as well?
Click to expand...
Click to collapse
I don't have enough experience with iOS to comment on that.
Relating to the last statement. What do you mean by "without changing the first app.."
Click to expand...
Click to collapse
While you can upload a new version of the same app the users would still have to manually (or automatically if their device is configured that way) download it. Google released a "forced update" API a while ago. If that is included in your old app that might help. Otherwise you would have to add it manually which would require access to the source code. But then the users would have to manually update too so it would be quite useless.
So one way to force them to update is to disable all APIs the app might use but that might alienate the users as they have no clue why it stopped working. So as long as you have no notification system that is working right now you have to depend on your users updating.
Is there a phone/android version that allows someone whos not an Android expert to actually have control over what their phones doing? Or is it just not possible nowadays for a regular person to fully control the info their phone sends?
Sorry if this sounds cynical, it really is a genuine question.
Thank you.
Hi Steve, it sounds like what you need is a rooted phone. Forgive me if you're already familiar with the term, but rooting basically gives you administrator rights over just about everything on your phone, with only a few exceptions depending on which Android version the phone is running. This allows you to do stuff like revoke permissions for apps, block ads, and change how Android looks and behaves.
Do you have a phone in mind already? If not, what's your budget?
questions should be posted in q/a Thread moved please review the rules ( located below)
rhythm_dx said:
Hi Steve, it sounds like what you need is a rooted phone. Forgive me if you're already familiar with the term, but rooting basically gives you administrator rights over just about everything on your phone, with only a few exceptions depending on which Android version the phone is running. This allows you to do stuff like revoke permissions for apps, block ads, and change how Android looks and behaves.
Do you have a phone in mind already? If not, what's your budget?
Click to expand...
Click to collapse
Thank you for your help. I had a rooted phone, but a friend did it for me. Now I have a S8 active on Pie and from my research the bootloader I have (V5) is not rootable. I'm definitely not well versed in Android though and could be wrong. That's why I was wondering if there was a device that offered full control without the need and rick of rooting. If there's not, could you suggest one that is perhaps the simplest and least risky to root? I don't need top of the line, I don't game or anything and would be fine with getting something used. thanks again!
Luckily, there is a way in stock Android to control permissions! I forgot about it when I was typing my previous response. Here's an overview: https://www.howtogeek.com/355257/can-you-control-specific-permissions-on-android/ Hope that does what you're looking for.
If you want to do more with a rooted phone like block ads, there are some that are easily rootable, like the Google Pixel series. Here are a few options: https://www.androidcentral.com/best-phone-rooting-and-modding I liked the Pixel 2XL I used through my previous job, and I've heard good things about the other Pixels, for what that's worth. I haven't tried the other phones in that link, but the OnePlus phones have an excellent reputation.
There are many other phones that have varying degrees of difficulty for rooting, but I'm not aware of any relatively recent ones not on that list that I'd consider easy to root. I've found that the best approach to finding a new phone is going to GSM Arena's Phone Finder to put on my criteria, then coming back to XDA and searching through the forums to find out whether my prospective phone of choice has root yet. As you've discovered with your S8, some phones just never get there, which is pretty frustrating.
I hope that helps! Holler if you have any other questions.
Well, that's my main issue, you can only control certain permissions there. When I click "all permissions" I can see them all, but not turn them off. It's just a bummer that one has to go thru all this rigmarole to control a device they supposedly own. I was hoping maybe someone made a device that you could control stock, but I guess that was wishful thinking. Thanks again.
SteveJustSteve said:
Is there a phone/android version that allows someone whos not an Android expert to actually have control over what their phones doing? Or is it just not possible nowadays for a regular person to fully control the info their phone sends?
Sorry if this sounds cynical, it really is a genuine question.
Thank you.
Click to expand...
Click to collapse
You must distinguish between Android OS itself and the apps that run on it: Android OS has no permissions you can invoke/revoke, only hardware/OS specific settings can be made there, but permissions can be granted/withdrawn from an app - if its developer has allowed the latter. To change the permissions of an app basically no rooted Android is required, this is done either via Android->Settings or via a 3rd-party APK editor.
BTW: It exist 3rd-party apps that can show you what apps are sending/receiving data over Internet.
Hint: Use your Android phone without Google.
Is root required to disable hardware?
SteveJustSteve said:
Is root required to disable hardware?
Click to expand...
Click to collapse
No, only a hammer. :laugh: