Database Info

[Q] Remote Administration of Multiple Android Handsets

My situation:
In my company we have about 30+ handsets currently running Android (standard and custom ROMs from XDA). The handsets include HTC Desire HD, HD2, Desire S and Desire Z. The users cannot be trusted not to brick the phones if they are allowed to download apps and modify them in anyway (not to mention they are business phones so shouldn't have facebook etc on them any way).
I've heard about admin tools which allow control of handsets remotely.
Requirements:
So, if possible, what i would like does something along the lines of...:
1: Blocks further apps from being added to the handset without a password
2: A lock to keep as many of the settings as is originally provided (wallpaper etc)
3: A master admin tool which i can remotely manage all the handsets from (download requested and approved apps, wipe, lock, locate and reset the phones if lost...etc)
What i have done before to stop the users adding further apps is register my email address to Android Market on all the phones, then changed the password using my desktop). While this stops new apps from being downloaded from the market, it does mean i cannot remotely roll out approved apps as they are no longer signed in to the account.
Is there anything out there which does any/all/some of the above?
Is there one tool which can manage all these tasks? Or will it have to be seperate apps like Norton Mobile Security (such as) etc?
Can anyone get their heads around this?
Thanks!

The market lets you download apps to a phone.
Lookout Security does all of the security tasks you want.

Thanks, that would take care of the remote wiping, locating and locking.
Does Android provide any corporate setup for administration of lots of handsets? Surely this is a niche in the market for some devs to jump on if there isn't something like that already.
And i know Android Market allows you to remotely download apps to multiple phones but i want to make it impossible to download through the phone itself. (so i can add apps but the user can't)

Something that performs like MFormation Enterprise Manager but avoiding the $20k price tag! (a tall order i know)

Sonic_Sonar said:
Something that performs like MFormation Enterprise Manager but avoiding the $20k price tag! (a tall order i know)
Click to expand...
Click to collapse
Hello,
Have you found any apps that fit your needs? Do you use them? If no, is your organization still interesting in mobile device management service?
I'm asking because I'm working for http://bloove.com (personal phone management service) and we're going to expand our offer to small and medium companies.
This new service will combine existing contact, sms, phone log and bookmark backup for personal phone with MDM features like centralized app management, location and wipe service etc.
We're looking for early adopters who will have a chance to add their custom requirements to the service and get this service for free for up to six months.
Please let me know if you're interested and want to discuss this further.
Thank you,
Rostislav
[email protected]

Please use the Q&A Forum for questions Thanks
Moving to Q&A

I did something like this ...
I first installed openssh server, plus a script that checks a specific URL for remote access needs (had to do it that way since my carrier blocks connections on all ports).
The server side is a simple php script that you call like this: check.php?deviceid=[ID]. The script checks a DB to see if there is anything new for that device ID and acts accordingly. I implemented three features: Tunnel, Script, Install APK. So, If I want to install an APK to all devices, I just upload it on our webserver, and on the MySQL DB I add devices id = all, action=install, file=/apks/whatever.apk. If, for instance, I want to do something more complex on certain devices, I add: id = all, action=script, file=/apks/whatever.sh. I write the script, then all phones check for updates on this check.php every 5 minutes, if they find a script, they'll download and execute. If it's an APK, they'll download and install. If I insert a line with deviceID=[deviceid], action=tunnel, file=[PORT NUMBER], then the phone will SSH into a remote server and do a reverse port forward, on [PORT NUMBER]. Then I can just SSH into localhost:[PORTNUMBER] on the server, and I'll have a terminal inside the phone to do whatever I need.
This doesn't address the restrictions issue, but it does allow you to control the phones however you want.
Regards,
Almafuerte.

Project Cream (Beta)

Hello everybody,
I'm Alessandro and I'm a student in IT Security at University of Milan.
I'm doing a thesis about Android Malware and I'm building a system to automatize the analyze of every App in every Market.
This system use a lot of free opensource products that I'm trying to customize and integrate.
The base idea is to enumerate all App in every Market (offical and not), download every free app and get Apk, at this point there is a first step that involve our customized version of Androguard for static analysis, next step is an hybrid analysis in a customized Android running on emulator.
More in detail:
- We are trying to enumerate all App using Android market api code.google.com/p/android-market-api and we are currently at work
- We want to download every free App enumerated by previous step, I think is not possible to download directly Apk, so I assume that I must *download App in an emulator and save Apk by a backup utility, any suggest??
- Next step is to anakyze Apk with Androguard and publish report (MD5 of Apk, permission declared, services...) to Db - not yet started
- After androguard we have to install Apk in emulator running customized Android, and here we have a lot of difficulties.
First of all we want to install App silently, without human actions, this is not possible by default but did you think is possible to modify Android source code to allow this?
In addition I have built a customized kernel with SELinux support, next problem is that I have to add SELinux commands to BusyBox and cross-compile, anyone have already do this?
After that, we must create a scripts (maybe an App?) to run tcpdump and get suspect traffic data, get SELinux logs and made a sort of anomaly detection.
All this result must be sent to the same Db so we have a comparison between static and hybrid analysis for same App.
We are asking you a little help if anyone have already do one or more pieces of this system or if anyone wants to contribute in this project.
Thank you for all

Android Webview and webvr / webxr

Spend several days trying to make Android Webview go webvr / webxr
​
I have several projects to develop in VR and I used Unuty and Unreal for this. But with webvr/webxr coming it is a chance to get unified platform to distribute VR experience. Only problem I need to distribute it as stand-along app for google play and gearvr store (due to heavy video 360 4k/6k content - beyond Wi-Fi b/g/n capabilities).
​
Test device has android 7.1 - so webview is the chrome itself and in dev options set as chrome. Also tried to set it as chrome dev, chrome canary - no luck
​
my discovery for now
for webvr - this technology named deprecated and you need to set chrome://flags on normal chrome and it works well. Webview ignores that settings (might be if chrome://flags accessed from Webview it helps - have`t tried yet). There is an option to use chrome start-up parameters via adb but no good for production
​
for webxr you need to acquire Origin Trial Token from Goolge. And again stand alone chrome if accessing site with Origin Trial Token goes VR at no probs. But Webview simply ignores Token .
​
For now I have only one proper option - compile chromium and embed it in app. On windows I can distribute app using WinJS (.net and win32 also good) + Microsoft EDGE Webview. Works surprisingly well with Windows Mixed Reality. For SteamVR again I can compile Gecko or use supermedium (Gecko compiled by other guys).
​
But on android I still in search for way to show Webview with local html with my webxr content (based on threejs mostly).

Hilo

One plus 7 pro with lineage OS and MicroG instead of galaxy s10+

Hi!
I'm not a compete tech noob but new to phone modification, privacy and security and would like some recommendation.
I bought a Galaxy s10+ a few weeks ago and after that I started to read up more about phone modification, privacy and security.
After a lot of research I found out this is not the most privacy friendly phone in terms of installing a custom ROM.
I have 3 days left to return the s10 and decide which other phone to choose.
If i want something 'similar' it would be something like the Oneplus 7 pro or maybe a Oneplus 6/6T?
So, I would like to have a phone which is reasonably modifiable so someone like me ( willing to spend time and effort figuring out how to take the right steps to do the things needed without ruining the phone) can install this setup below (basic setup for now), without having to be a developer/phone expert. Is this possible on the 7 pro?
I like having a large good quality sensitive screen because I do a lot of journaling and will also be using it in conjunction with personal productivity apps. I'm not a gamer at all but enjoy having a smooth working phone.
Will apps like the protonmail app work on a setup like this?
I own a LG V20 now which has a Quad DAC Audio interface which sounds amazing. I would like to use my High Res Audio Audiotechnica headset with my new phone, anybody knows if this is possible with the 7 pro using a Usb-C to 3.5mm jack audio interface?
Lineage OS
MicroG
Navigation:
- OsmAnd
- Tiny Travel
Security:
- Keepass or bitwarden
- Mullvad VPN
- OrBot
- Net Guard
- Shelter
Browsing:
- Hardened FF Klar?
- Tor Browser
Personal/Productivity
- Joplin
- Orgizly
- Calendar/Etar
Stores:
- F-Droid
- Yalp
Communication:
- Signal
- Protonmail (app if possible)
Media:
- Simple Gallery Pro
- Simple Camera
- Simple Music Player
- NewPipe (YouTube App)
Misc.:
- Simple Keyboard
- DeepL
Click to expand...
Click to collapse
Thanks in advance!

dSploit/cSploit continuation

Hello, if you know what cSploit is you also probably knows that it's buggy and outdated.
I have taken time to rebrand the software, mixing versions, and modifying code.
My goal was to fix the login cracker which was not giving status output since the C regex was broken, so I re implemented the original dSploit 1.0 fashion - each tried passwords are shown - and the progress bar is effective. Also did modify the java code and res to be able to fully use hydra (more options, and most importantly being able to pass http related plugins parameters).
Metasploit is outdated, and ruby 1.9 cannot run the lattest version; so I switched to version 2.7, which is running: we can install gems.
Issue is that when downloading the MSF and setting it up, the bundle doesn't return, and gives no output. I don't know what is happening here, there may be a prompt for administrator's password so I run 'bundle install' as root, but it doesn't change anything.
gem install bundler does succeed, but not bundle install, showing forever "downloading gems". This part is tricky and I need people to look upon it with fresh eyes (I spent too much time on the code).
I'm calling the project eSploit and renamed a lot of things like package name, since I have been working alone and that the cSploit project is utterly abandoned, but still is delivered on platforms like nethunter store despite the bugs and EOF notice. So don't judge me on taking it over since no one cares.
Status is:
Nmap: fully functionnal
Hydra: restore not working (restore file's path issue)
Exploit finder: Not working since the MSF doesn't update yet -see above- , and that is the milestone.
MITM: not tested, might just get rid of it.
There is a change of strategy in the way we will retrieve exploits, instead of contacting outbound server and pass it the result of the inspector, then seeking in the metasploit database for the CVE, we will just pass the inspector's result to metasploit. No difference, and the thing will be working on local networks without internet connection,
To be honest this is a bit like pinning a nail with a bulldozer, but for now there is no alternative.
Submodules are removed from git, instead there's a big working tree with all the dependencies.
Note that the openssl library originaly shipped with the package doesn't 'work' with most newer software, hence are we using 1.1.1l for ruby, and will either stick to the lattest for older softwares (like hydra 8.8) or update the programs, so now only nmap is working.
So you tell me what you think of it, and don't hesitate to report bugs on github, ask me questions about the architecture of the software (originally designed by simone margaritelly), and help me finding a solution to the main issue.
GitHub - e2002e/eSploit: cSploit - The most complete and advanced IT security professional toolkit on Android.
cSploit - The most complete and advanced IT security professional toolkit on Android. - GitHub - e2002e/eSploit: cSploit - The most complete and advanced IT security professional toolkit on Android.
github.com

This is very cool. It would be really cool if this is working. I hope that you can fix these Problems

cSploit, dSploit.. now eSploit i really like this program.
Any similarities with zANTI ?

I am very interested in this project! But the github page is offline Are you still working on this?

Hi people, I got to some reasoning that this was not needed, though being cool to have the metasploit framework for android, I remember now how younger I tried to hack into things without a proper vulnerability scanner. This results in frustration. You can't know just from an nmap scan what exploit to launch. This thing would be awesome with (for instance) greenbone. But as is it is like attacking tanks with guns.
So I dropped it and deleted the repository.
Thanks for your reactions.

What happen it's not available