Manage employee android devices (phones & service provided by the company) - Android Q&A, Help & Troubleshooting

Hey everyone, my company currently uses google apps and provides several of our employees with cell phones (currently running 6.0.1) and the service plan.
What kind of software is available to set limits to these phones in android? Such as setting & enforcing data limits, and the ability to install and uninstall apps, etc? The employees will be made fully aware that their company phones are being managed. I'm not looking to hide anything or be devious about this, I'm just looking to retain control over our devices and make sure they aren't being misused.
Thank you in advance!

Related

[Q] Android Fleet Deployment/Provisioning/Management options?

I did have a search on here, but didn't find anything particularly relevant so I'm hoping some people could help me out.
My situation is that I manage the deployment of Android Handsets and Tablets within my company. This process is fairly ad-hoc as in, I order a few handsets at a time, set them up with company software requirements + some desktop shortcuts, and ship them to the specific user.
My problem is that the quantity of devices I'm going to be deploying in the next 12 months will grow significantly, and this job is extremely boring, and costing me in time wasted on a repetitive task that could be much better spent on other things.
So I am looking for tools to help make this process more automated/quicker/simpler.
The crux of my requirements are:
a) install software packages (some from market, some not eg Lotus Notes Traveler)
b) Slight desktop customisations (add some app shortcuts, browser homepage etc) - realistically this is optional, but I thought I'd mention it.
Currently I take care of (a) with a homegrown python script which makes some adb calls.
(b) and (c) are entirely manual, and currently depend in part on the device going out - could be any of HTC Desire/Desire S/Sensation, Motorola Atrix/Defy+/Xoom or Samsung Galaxy Tab 10.1.
I also have to do this *after* having logged in, set up at least one google account + possibly a motoblur account, and enabled USB debugging - is it possible to get adb shell functionality without needing to get into the OS and enable USB Debugging?
Moving to higher level things, I'm open to the idea of paying for dedicated tools to manage this job - eg Google Apps Domain services, or some other Mobile Data Management service (eg silverback mdm).
However, what these tools are geared to is securing a fleet of devices, but don't seem to offer what I'm looking for, which I believe are pretty simple requirements. ie add some arbitrary apps, and make them accessible on the front screen of the device.
I can't imagine that I'm the first person to need to do this, so what are other people doing to ease the management burden?

There's a Zombie-like Security Flaw in Almost Every Android Phone

Nice article to read.. Just thought I would share.. MODS PLEASE DELETE IN CASE THIS IS A DUPLICATE.
http://news.yahoo.com/theres-zombie-...013019842.html
There's a Zombie-like Security Flaw in Almost Every Android Phone
LikeDislike
Abby Ohlheiser 56 minutes ago
Technology & Electronics
.
View gallery
There's a Zombie-like Security Flaw in Almost Every Android Phone
Almost every Android phone has a big, gaping security weakness, according to the security startup who discovered the vulnerability. Essentially, according to BlueBox, almost every Android phone made in the past four years (or, since Android "Donut," version 1.6) is just a few steps away from becoming a virtual George Romero film, thanks to a weakness that can "turn any legitimate application into a malicious Trojan."
While news of a security vulnerability in Android might not exactly be surprising to users, the scope of the vulnerability does give one pause: "99 percent" of Android mobiles, or just under 900 million phones, are potentially vulnerable, according to the company. All hackers have to do to get in is modify an existing, legitimate app, which they're apparently able to do without breaking the application's security signature. Then, distribute the app and convince users to install it.
Google, who hasn't commented on the vulnerability yet, has known about the weakness since February, and they've already patched the Samsung Galaxy S4, according to CIO. And they've also made it impossible for the malicious apps to to install through Google Play. But the evil apps could still get onto a device via email, a third-party store, or basically any website. Here's the worst-case scenario for exploitation of the vulnerability, or what could potentially happen to an infected phone accessed via an application developed by a device manufacturer, which generally come with elevated access, according to BlueBox:
Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.
The company recommends users of basically every Android phone double check the source of any apps they install, keep their devices updated, and take their own precautions to protect their data. But as TechCrunch notes, Android users really should be doing this anyway, as the devices tend to come with a " general low-level risk" from malware. That risk, however, is elevated for users who venture outside of the Google Play store for their apps.
So while the actual impact of the vulnerability is not known, neither is the timeline for fixing it. Manufacturers will have to release their own patches for the problem in order to fix it, something that happens notoriously slowly among Android devices.
Mr_Jay_jay said:
/snip
Click to expand...
Click to collapse
As always, this really boils down to the same thing: don't be a fool in the most non-pejorative way possible. With the exception of the Syrian Electronic Army fiasco awhile back, secured and verified app vendors like Google Play (or Apple's App Store) continue to provide all the services most users will need without exposing the end-user to this kind of vulnerability. If you don't expose yourself, you're not at risk.
That said, this all relies on the notion of the end-user being at least somewhat vigilant, which can be quite dangerous.
Rirere said:
As always, this really boils down to the same thing: don't be a fool in the most non-pejorative way possible. With the exception of the Syrian Electronic Army fiasco awhile back, secured and verified app vendors like Google Play (or Apple's App Store) continue to provide all the services most users will need without exposing the end-user to this kind of vulnerability. If you don't expose yourself, you're not at risk.
That said, this all relies on the notion of the end-user being at least somewhat vigilant, which can be quite dangerous.
Click to expand...
Click to collapse
Not every Android device has access to Play Store though, by-default. I have a tablet now that doesn't have access. If a normal user had such a device, they wouldn't likely go through the process needed to get Play Store, and would just deal with whatever marketplace app existed.
This exploit will likely only ever affect users that by default use devices that do not have Google support. Many of these are distributed among 3rd world nations and are typically a hot bed of illicit activities anyways. Of the first worlders that would be affected, it would be those using black market apps without knowing the risks involved in doing so. Most black market users are knowledgeable enough to know to check their sources and compare file sizes before installing apk's.
Also the notion that 99% of devices being affected has nothing with the OS being flawed (Google reportedly fixed the flaw in March), but rather the OEMs being slow in pushing out (or not pushing out at all) the patched hole.
Also I would be weary of a security outfit that has been around since 'mid-2012' and continues to pride themselves as a start-up mobile security firm.
espionage724 said:
Not every Android device has access to Play Store though, by-default. I have a tablet now that doesn't have access. If a normal user had such a device, they wouldn't likely go through the process needed to get Play Store, and would just deal with whatever marketplace app existed.
Click to expand...
Click to collapse
Granted, but the Play Store reduces the attack surface by a considerable margin. Right now, I consider non-Google blessed Android to be something akin to stock Windows 7 with Defender and Firewall turned off-- you can do just about anything with it, but you're running at a risk by not deploying some vendor-based add-ons (in this case, choosing to use the unit available).
I do understand that many devices sell outside of the Google world, before anyone jumps on me, but it doesn't change how the vulnerabilities play out.
This boils down to:
If users install a virus then they get a virus!!! This affects all Android phones!!!!!!!! Oh Nos!
Sucks that this is being patched. Guess there will be no more modding games for me.

[Q] Security framework aproach (ROM for Kids)? APP or ROM?

Hello.
I am here seeking for help and advice on how to approach the development of a security framework (via APP or via hacked Android ROM to be used by kids, that could be monitored by adults (parents or legal tutors).
The idea would be to develop a (white hat) hacked ROM, that would allow the kids to communicate with their friends, but also would allow their parents to supervise/monitor in real time what their children are doing, who are they communicating with and that way protect their children. The thing is not to spy on our kids, but to be able to check regularly if there is anything wrong going on with our kids (mobbing, insults or harassment). Kids aged (10-14) could be influenced by other kids, adults, or adults simulating being kids, and on some occasions they can be tricked to do things without their parents consent/knowledge that can lead to a tricky situation.
When I was a kid, we had the telephone (wired telephone, of course) on the middle of the hallway, so all our conversations were basically family-public. The truth is that there are not many secret things a 10yo kid could/should talk about, but nowadays, it could be a little bit worrying to lend a smartphone to a kid. I think it's just as letting a kid drive a car; he can do it right, or not be able to evaluate the whole consequences of driving a car.
Talking to other parents around me, they all found very interesting the idea of having a telephone that one could lend to their son, having the kid available all the time, and with the peace of mind that you could know what's going on. Of course the kid should be aware of this, and that the telephone comms are being supervised. I think it's no big deal. "Kid, it's very simple. The telephone is mine, and if you want to use it you have to use it under my terms".
Probably, all of us working for a company, have also our communications supervised, cannot make personal phonecalls with the company's telephones, probably cannot navigate to webs looking for personal content, and we asume those rules (because neither the company's phones nor the computers are ours but our company's). It's basically the same, switching the company-employee role to a father-son one.
So, let's get to the point (technically). I am a tech-geek, linux pro-user, have compiled a few ROMs just for personal use, but don't feel capable enough of starting a project of these magnitude alone. If there is anyone willing to help, opine, or whatever, will be very welcome.
First of all, APP or ROM? I basically think that the ROM is the way to go, but I'm asking just in case someone can convince me on the contrary. I will make a poll on this question.
APP An APP could be easily downloaded and installed but would require a rooted phone, and I don't see it clearly if an APP could resolve all the needed issues (access to communications for example) and could be fairly easily uninstalled too.
ROM On the other hand, a ROM would be trickier to uninstall (basically flashing another ROM) but wouldn't be as easy to install as an APP (though the installer model of cyanogenmod could be kind of a solution). There could be an universal (if possible) independent flashable module, over whatever android ROM, or an entire ROM solution.
Features that I want to develop in this ROM (by the way, I call it 'Vigilante ROM'):
Suitable for as many devices as possible
Web interface for parents available to see device-related information
Some hack-proof measures to avoid kids bypassing the ROM's security
Alerts triggered on some events (offensive words, whatever)
Position of the mobile -just in case-
Suitable for as many devices as possible
The first thing I though was what platform should be used for this ROM. To select Android over others (iOS, Blackberry, W7) was a no-brainer. Now, the question is should we use pure Android or make a CyanogenMod fork?
In my opinion, even though every phone maker has to supply their ROM sources publicly, they usually introduce so many modifications (HTC Sense, Samsung Touchwizz and so on) that it looks more difficult to develop a common security framework over each manufacturer's version of Android, rather than using a more standardized one like CyanogenMod.
CyanogenMod already works with a wide number of devices (and a wider one if you count the unofficial supported devices), I think CyanogenMod should be the base of this ROM. If all the 'things' needed could be flash on top of any Android device, would be even better, but technically I need help with this one.
I understand that basically there should be an internal proxy setup, so that all the communications go through this internal proxy, and based on the kind of communication, we could log whatever we need. For example:
Visited URLs
Whatsapp or other messaging apps should be decrypted
Incoming/Outgoing calls/SMS
Social network activity
I know the Whatsapp protocol because I'm familiar with a project called WhatAPI. The key point to be able to intercept whatsapp messaging is a key generated and exchanged during the app install (although there are ways to later ask the Whatsapp server to renegotiate this keyword) and that's used later to encrypt all the messages between the phone and the whatsapp server.
Web interface for parents available to see device-related information
Behind every kid with a smartphone there should be a responsible adult supervising the kid -even if it's remotely-. In my idea, logs of messaging activity, incoming/outgoing calls/SMS and even the position should be available to the supervisor through a web interface.
Some hack-proof measures to avoid kids bypassing the ROM's security
That's an easy one. CRC checks on some keyfiles would guarantee that the device is not being 'counter-hacked'. Some kids are also very techie, and we should make some defences against kids trying to hack (counter-hack?) the phone.
Alerts triggered on some events (offensive words, whatever)
It could be interesting if somehow the supervisor could receive a notification whenever the kid sends/receives and offensive word, or tries to enter some special tagged website.

google-ectomy, possible?

Hi all.
I have a rooted phone that is used strictly in wifi mode and only needs to be able to run 4 or 5 standard aps, a couple of optional aps, plus the aps that support rooted phones and enhanced power management. I don't want google-anything on it, and I am not kidding. My prime concern is battery life, I hope to be able to run my phone for 3 to 4 days (or more) between charges, so deleting all fluff aps and crapware is important, as is underclocking it and getting rid of google. I also want to stop updating of the operating system and installed software by google.
I hope to do a hardware mod to remove power from the cell band rf transceiver. Despite it being turned off in the phone using software, I am detecting occasional transmissions from the cell band transmitter. Hardware mods are not a problem for me, I'm a retired EE, who specialized in RF design.
I need to know if it's possible for the phone to function if gmail, google+, google search, chrome, google calendar and google-whatever are exhorsized (uninstalled)? Yes, I also want to give the playstore the boot, to prevent excessive battery drain (and, yes, I do realize downloading aps will be slightly more difficult without the playstore).
For those who might be interested, the phone is used as a wifi phone for the home based Ooma telephone service. I also might like to run a mini bittorrent server. It seems to me that the android community could use bittorrent in place of the playstore, thus making it easier for others to give google and google playstore the boot
I love this forum, and want to thank all those that support and administer it.
Aloha,
A
alohagirl said:
Hi all.
I have a rooted phone that is used strictly in wifi mode and only needs to be able to run 4 or 5 standard aps, a couple of optional aps, plus the aps that support rooted phones and enhanced power management. I don't want google-anything on it, and I am not kidding. My prime concern is battery life, I hope to be able to run my phone for 3 to 4 days (or more) between charges, so deleting all fluff aps and crapware is important, as is underclocking it and getting rid of google. I also want to stop updating of the operating system and installed software by google.
I hope to do a hardware mod to remove power from the cell band rf transceiver. Despite it being turned off in the phone using software, I am detecting occasional transmissions from the cell band transmitter. Hardware mods are not a problem for me, I'm a retired EE, who specialized in RF design.
I need to know if it's possible for the phone to function if gmail, google+, google search, chrome, google calendar and google-whatever are exhorsized (uninstalled)? Yes, I also want to give the playstore the boot, to prevent excessive battery drain (and, yes, I do realize downloading aps will be slightly more difficult without the playstore).
For those who might be interested, the phone is used as a wifi phone for the home based Ooma telephone service. I also might like to run a mini bittorrent server. It seems to me that the android community could use bittorrent in place of the playstore, thus making it easier for others to give google and google playstore the boot
I love this forum, and want to thank all those that support and administer it.
Aloha,
A
Click to expand...
Click to collapse
There are threads all over the place trying to do this. Google is deeply ingrained into all the apks used by the os. You will be very hard pressed to find away to remove them completely and still have things work right.
I agree that security is an illusion. I dumped Microshaft in 2013 in order to improve my security and privacy.
However, the android operating system is supposed to be open source, so it should be possible to de-google-ize it IF someone knows how to edit and recompile the android OS.
I was merely asking if anyone knew of a way to give google the boot, even if it came down to paying someone to compile a custom rom.
The loss of google playstore is not a consideration, neither is a monetary forfeiture (any programmers out there?).
I'm curious, is it possible to gag google so it can't connect to the outside world (with a firewall)? We used to do this in XP to prevent Bill's Internet Explorer from downloading updates.
Are any of the custom roms currently available able to run without google-anything??
Is there any hope, or is it truly hopeless? If a custom rom that gave google the boot was available, how many would pay a small fee to have it? Just curious??!!
TY
A.
alohagirl said:
I agree that security is an illusion. I dumped Microshaft in 2013 in order to improve my security and privacy.
However, the android operating system is supposed to be open source, so it should be possible to de-google-ize it IF someone knows how to edit and recompile the android OS.
I was merely asking if anyone knew of a way to give google the boot, even if it came down to paying someone to compile a custom rom.
The loss of google playstore is not a consideration, neither is a monetary forfeiture (any programmers out there?).
I'm curious, is it possible to gag google so it can't connect to the outside world (with a firewall)? We used to do this in XP to prevent Bill's Internet Explorer from downloading updates.
Are any of the custom roms currently available able to run without google-anything??
Is there any hope, or is it truly hopeless? If a custom rom that gave google the boot was available, how many would pay a small fee to have it? Just curious??!!
TY
A.
Click to expand...
Click to collapse
There is one project that is working on removing Google completely in the forums. A search will find it for you. There are some issues that I don't recall if they could find a way around or fix. You could give that a shot.

XCover 4 - need to restrict users

Hi,
we need to do the following:
We have a fire department with medical emergency staff. Each Car (Fire, Rescue etc) needs a new phone. We used to have simple Caterpillar "ruggedized" phones but they dont fit our needs anymore for various reasons.
We now have some sample devices of the Samsung Xcover 4.
What we need to do is to restrict the phones for everyday use, which is not supported by Samsung by default.
We can NOT root the phones or install any custom ROMs for obviuos security reasons.
So we would need a software which allows to control the phone: We would like a state where nothing can be changed. The only thing which must work would be making phone calls (dialing and phonebook). We do not want any apps installed, we do not want wifi or mobile data or people changing ringtones, wallpapers etc (and they'll do)...
Is there a software for android which can provide such a limited profile?
Thanks a lot!

Categories

Resources