Hello,
My company is using NOVA boxer which leverage Android Work Profile to setup a dedicated work profile.
However, one of the policy they enforce is to remove usage of fingerprint unlock.
Is there any way to bypass that ?
I am root on the device but not too sure where this kind of lock is located ?
Any clues ?
Regards,
Adi90
Related
Hey,
There is a big security issue on WPA2 Enterprise (802.1x) configuration in Android. The GUI offers no way to set the sebject_match option for the certificate so it is possible to install an fake Radius server and fish user credentials even there is set a cetificate in the Wifi configuration.
As far as i know it is possible to set the subject match option manual in the wpa_supplicant.conf but this is only possible on rooted devices and not on all rooted devices. I have found out that there is the option in the wifienterpriseconfig.java. The answer of google for that beheavior is "this works as intended".
My question is now, is there a way to write a app to configure wificonnections without root privileges which includes the subject_match option and has anyone experience with that?
I am very excited to have access to bio-metric security on my new phone. However, for those of us in the U.S., there is one security exception that you should consider.
While its generally understood that no one, by law, may compel you to reveal a password; fingerprints themselves are NOT legally protected by the 5th amendment. There is precedence set that interprets the legal right for law enforcement to collect blood and DNA samples as evidence clearly extending to fingerprints.
If you want to fact check that, just google 'forced to fingerprint unlock' and you can pick from sources you trust the most:good:
Therefore, I want to know what XDA has to say about this. We have the phones now.What can we do?
My idea involved allowing the user to use fingerprints to authorize actions within the OS for speed(Ie Android pay,play-store purchases,access to contacts, etc), however disallowing fingerprint authentication for device unlocking and rely on PIN only. I think that is the best way to balance ease of use and security that a fingerprint reader adds while also avoiding the general lack of control over the authentication method used( fingerprints).
Even Google admits in the documentation, and I quote, "A physical copy of your fingerprint could be used to unlock your phone. You leave fingerprints on many things you touch, including your phone."(https://support.google.com/nexus/answer/6285273).
Therefore a third party having control over your fingerprints is admittedly a valid concern. Therefore Nexus imprint is NOT a secure authentication method UNLESS paired with a pin code. I think Two-Factor authentication is required here. We want to make sure that no one has both factors. 1 isn't enough here. They tell us that a PIN is better. Why not a fusion of both? Why cant I do TRUE 2-Factor and do PIN+print unlocks?
My questions to the community are these:
1. Do you really care about this?
2. Is there some sort of built-in way to implement this functionality with Nexus imprint already? I haven't found it yet.
3. Would you be interested in a application or system modification that did this?
It sort of already has a build in workaround. The phone requires pin after boot, so if you are about to be arrested.. shut down the phone.
Also if you use any third party app to lock the device, it needs pin to unlock (e.g. Nova double tap to lock screen).
1. No.
I see imprint as a convenience, not another factor. It improves security for me by allowing me to keep my phone locked with a strong password, without the inconvenience of having to enter it every time I pick up my phone.
A pin/password to unlock and in each app's "App info" settings dialog a switch where you could toggle Imprint/Voice/Face does sound ideal. This way the user is not left hoping the app developer implements these features. My banking app does Face/voice/pin, and I assume they'll eventually add Imprint, but I'd prefer the operating system gave me, the user, this power in much the same way they've given us granular control over some permissions & notification access. This actually seems like the logical next step to Screen Pinning.
Say I wanted to have the most secure Sony Xperia Z Ultra possible (without "too much" sacrifice of useability).
In the context of this thread I define security as broadly anything barring network anonymity ie. hiding your device public IP address.
So I want security from network attackers (eg. drive-by download, WiFi attacks), physical device attackers (eg. customs searching devices for IP violations ... no really, that's about to become a thing apparently, GF and/or mistresses) .
How would you do it?
Could you please use sections of
Code:
firmware
phone settings
app settings
behavior
because I want to curate the best answers from users in this post for the good of the forum.
My thoughts so far are:
Firmware:
Root is disabled
Bootloader should be locked.
^^ These I'm not sure about - see if we don't have root then we don't have iptable firewall and hosts level server blocking.
One recovery should be used
Honestly I'm not sure which ROM is more secure than another but I'm assuming the latest and greatest is more secure so that would be MM atm. No idea if Sony is more secure than another flavour of ZU Android.
Phone settings:
Developer options off
Sideload apps off
Do not connect to unknown WiFi
NFC Off by default
Bluetooth Off by default
PIN unlock required
Auto-lock ON
App settings: (this includes apps you should have/not have and their settings)
I figure every additional app that I don't use is a needless attack surface so start with no apps at all - uninstall everything. Only install what you use ... for which you need root unless the ROM is premade like this.
Firewall app (Netguard no-root Firewall, DroidWall if we have root)
Adblock (if we have root)
AV - honestly most mobile AV seems pathetic at being secure and not acting like malware (notifications, popup windows etc) but Avast at least seems to not hog resources.
-Auto update every app
User behaviour:
NEVER:
-install apps from anywhere other than Google Play. Or possibly FDroid
-let another person use your device
I'd like to hear your suggestions, critique and everything else, cheers!
So you're not gonna install from other than google play, then what ad blocker are you going to use? Where is adblocker connecting to?
You're talking about still having a lot of apps connecting through servers that you don't control.
morestupidemailnames said:
You're talking about still having a lot of apps connecting through servers that you don't control.
Click to expand...
Click to collapse
Well if you are worried about connecting to servers that you dont control - isnt that all servers?
At which point you may as well remove all WIFI and Mobile Data capabilities and just stick to 2G
panyan said:
Well if you are worried about connecting to servers that you dont control - isnt that all servers?
At which point you may as well remove all WIFI and Mobile Data capabilities and just stick to 2G
Click to expand...
Click to collapse
Exactly my point.
The op is a long winded question that leaves you with more questions.
Probably why there's been such a landslide of security tips here
Hi,
Where can I get the source code related to specific Android feature such as Smart Lock which works with Trusted Places, i.e., automatic unlock the device at a predefined trusted place (not Smart Lock for Passwords). Is it implemented as an app with apk?
Please let me know how can I get the source code.
Thanks in advance!
Best regards,
Vincent
https://www.reddit.com/r/Android/comments/72tj6u/psa_google_have_quietly_removed_nfc_smart_unlock/
Judging how they could gracefully remove it kind-of universally, I regret to tell you this feature is likely inside gapps (also makes sense since otherwise where would voice unlock come from?)
On the other hand, you could check No Lock Home xposed module that implement such kind of functionality.
EDIT: custom trust agents (outside of com.google.android.gms/.auth.trustagent.GoogleTrustAgent) can seemingly be added
Hi,
I am testing corporate owned business only devices for deployment, as most MDM platforms do not support COPE yet.
I am managing android devices using an MDM, but Cobo devices have as default policy backup disabled.
For a fully managed scenario, the MDM creates, as usual, an account 432433324324or another [email protected] , but backups are disabled and look grayed out in settings even if you add a second google account
this MDM does not have the option to enable it but some others do.
hence my question, before I have used Apple devices and you can change whatever default policy you want applying a profile from apple configurator, is there something similar for android? is it possible to change the default so backup is enabled for android fully managed devices? a tool to create profiles? (samsung droids btw)