The idea is to create a secure messaging app for Android smartphone.
One security goal is to have the app running inside a container.
I have so far been unsuccessful in finding a way to create a container on Android without using a paid service like a MDM.
Any help as to wether its possible and how would be much appreciated.
I have researched a lot on the internett on how to do this but haven't come over anything yet.
A container on Android is essentially a secure environment that isolates the app and its data from other apps and the underlying operating system. Creating a container on Android can be challenging and requires a deep understanding of the Android security architecture.
One approach to create a container on Android is to use Android's built-in system APIs, such as the Android Work Profile, which allows creating a separate, isolated profile on the same device. However, this approach still requires a management solution such as an MDM to enforce the security policies on the app.
Another approach is to create a virtualized environment using virtualization software like QEMU, which allows running a separate instance of Android on the same device. This approach provides a high degree of isolation and security, but can be complex to set up and manage.
In summary, creating a container on Android to run a secure messaging app is possible but requires a deep understanding of Android security architecture and the use of specialized tools and management solutions.
Related
I'm considering switching from Firebase DB to Realm.io for my Android app.
From what I've read - https://realm.io/docs/java/latest/#getting-started :
We do not support Java outside of Android at the moment.
That seems like an odd limitation for such a (supposedly) mature library.
I'm thinking that this could complicate e.g. automatic testing, requiring tests to be run on device/emulator, slowing things down a lot.
Questions:
Is it really the case that it cannot be used outside of Android?
What is the reason of this limitation?
Is it really as bad as I think?
What if I want to have some auxiliary server app (written in Java) running somewhere in the cloud, e.g. AppEngine, to connect to the realm DB. Is that option excluded?
What workarounds are there, e.g. for testing and server-side Java?
For the latter purpose - is NodeJS server-side app supported?
That seems like an odd limitation for such a (supposedly) mature library.
It's not that odd a limitation if you consider the fact that Realm ships its own native core, and the JNI wrapper written for the Android NDK; and it hasn't been detached from it yet to make it platform-agnostic, and as such for example relies on Android-specific things in certain places - for example, notifications, using the "Looper" as its specific event loop implementation.
Technically, the realm-java binding has plans to support Java outside of Android, but it currently does not. You should think of it more-so as realm-android than realm-java at this time.
Realm-Core at the time did not support UWP and Windows yet, although now realm-dotnet project works for Windows as well. Even so, detaching Realm-Java's implementation from Android is difficult.
I'm thinking that this could complicate e.g. automatic testing, requiring tests to be run on device/emulator, slowing things down a lot.
For testing Realm-specific behavior, yes.
For testing other things in your app with unit tests, no. You just need the right design, and some mocks I guess.
Is it really the case that it cannot be used outside of Android?
It works on iOS and Android as a local database.
It also works on Linux as a local server-side database since this article from Nov 16 2016, using a similar (the same?) API to the React-Native Realm API, via NodeJS.
You can also run a Realm Object Server (ROS) free of charge on whatever Linux or MacOS machine you like.
Then you can use the sync API to connect to said ROS, and automatically synchronize Realm associated with a user to the ROS. That's what you can do with ROS for free.
With the Enterprise Professional Edition and its price, you can also (on the server side) read/write to Sync Realms, and listen to events that alter the Sync Realm via the NodeJS Realm API.
Is it really as bad as I think?
That is up to your own interpretation.
What if I want to have some auxiliary server app (written in Java) running somewhere in the cloud, e.g. AppEngine, to connect to the realm DB. Is that option excluded?
Your Java application will currently not be able to communicate with a Realm on the server-side.
NodeJS only.
Even then, the "synchronized" Realms that auto-update all data between devices through to ROS to reflect whatever is in the ROS is a paid feature.
Basically, Realm-Java currently only supports Android. As it said in the docs.
As for communicating with a local Realm for the server side on a Linux via the NodeJS API, sure, go ahead.
For the latter purpose - is NodeJS server-side app supported?
NodeJS is able to write to Realms on Linux machines. Possibly also Mac OS.
Free version is local Realm only. Paid version is synchronized Realm stuff through the ROS.
Is it correct that Android application which communicates with external database (somewhere on the server), requires web service (e.g. java web service)?
Is that web service an actual back end application which directly communicate with the DB?
Is this service, I am talking about, the same thing what AWS or google cloud offers, or am I messing it up?
Cloud providers can provide you computers and other hardware to run your back end server on and in some cases can provide you some or all of the services you need in your back end, obviously depending on what your app actually needs to do.
For example, AWS provides identify verification services, streaming recording backend services, notifications etc. You still need to do work to integrate your app with them but they do a lot of the heavy lifting for you.
Deciding whether to use the services or just the HW with your own services built on top is an architectural and business decision really.
You may want to balance ease of integration against vendor lock in (i.e. being tied to a single cloud provider to run your back end).
Personally, I like architectures that can be ported between cloud providers - you can still build on non cloud provider 3rd party service building block software if you want.
Having said that, AWS and Google have almost certainly put a lot of effort and thought into making their service building blocks easy to integrate and scalable so you may find their ecosystems work for you.
I am creating a java based application and i want to use google app engine for its deployment. But i want this application to be movable to other servers like tomcat etc on my local or other machines. So i though want to use google app engine. But want to keep my application independent of any Google specific things. Can somebody summarize the points i must take care of. I want to keep it independent both from application and database layer perspective.
Though I am not master in google app engine however the thumb rule to make your webapp portable is to use standard specification APIs instead of vendor specific APIs. For example if your app is using google app engine UserServive (com.google.appengine.api.users.UserService) or data store com.google.appengine.api.datastore.DatastoreService , if is tightly bound with Google app engine and can not be migrated to standalone tomcat engine.
To loose couple your database for further migration you should consider using MySQl schema in google app engine. Because in future you can host your database anywhere by just taking a dump. Also, you should use JDBC apis/JPA for database operations from your application using MySQL JDBC JAR
To summarize, you should avoid any API call which has com.google.appengine* import in your source. Also, you should have your own mysql schema running in google app engine cloud.
I think you can and it's only a matter of design.
Just an example: if your application need user authentication, you can create an interface AuthenticationService and two implementations:
GAEAuthenticationService for the Google App Engine
FakeAuthenticationService for local tests running with jetty (for example)
DataSourceAuthenticationService for authentication based on a DataSource
You can do the same think with persistence, scheduler, etc... the only thing to do is:
define the objects you need and use interfaces when you need different implementations that depends on platforms
Amazon Cloud Services (AWS) has provided the ready to use Library to make calls to SDB, S3, SNS etc right from your Android app. This makes it really easy for a mobile developer who is not familiar with web services and web applications to create a completely scalable cloud based app.
We give the Amazon Access Credentials in these API calls to connect to our cloud Account; My question is:
How do I effectively use Key rotation in the app, since I would be distributing the app, once the change in key could mean a period disruption for the existing users.
Would hard coding the Amazon Access Credentials inside the code (as a field Constant etc) make it vulnerable to extraction? Via decompiling etc.?
I talked to the Amazon Advocate for our region and he told that Amazon client library is not designed for such a purpose.
It could be used in for in-house apps (not being published), like client-demo apps.
If you're bundling the Credentials with an app to be published in open market (not recommended), use IAM and create a separate credential with with restricted access.
If you're building an app like Instagram, you may have to setup a web server to proxy your calls to Amazon (effectively making the client library useless).
Obviously, I was not very convinced. I think an entire client library to Amazon communication (bypassing the need for a webserver) could be a great advantage for Mobile devs.
Re:
Would hard coding the Amazon Access Credentials inside the code (as a field Constant etc) make it vulnerable to extraction? Via decompiling etc.?
Yes, by looking for strings and patterns in the binary. Also decompiling, but that'd often not be necessary.
The first question is, what sort of threats are you trying to protect against? Governments? Paid hackers? Or you just want to make it not easy to gain access other than via the app?
Limit the access the keys have to just the data that the app needs.
Store the keys in the app in several pieces. Modify them in some way (eg ROT47), then re-combine when sending to the service.
Don't put all of the key information into the app. Require use of another security device such as the Amazon MFA
Install monitoring to detect unusual patterns of access that could indicate access from outside of the app.
I'm creating an android application. Most of the functionality will be done offline, however I need to build some dependency between users of the application, such as being able to see peoples "high scores" and to communicate between users, and sending each other in-app messages.
Therefore, I'll need a webserver which the app can connect to in order to store such information. I imagine the app will make REST calls to get high scores.
I'm trying to avoid the overhead of having to create a fully functional web application (SpringMVC for example). Is there any application that makes this simpler?
What is a good, simple web stack I could use for this?
We use the Java RESTlet framework for creating RESTful interfaces for our mobile apps, and deploy via Google AppEngine. I shared a series of screencasts on YouTube demonstrating this approach that you might find useful. The RESTlet framework used in the screencasts is a few versions old, but this should help you get up to speed fairly quickly. We like this particular approach because it's straightforward for Android developers (who are already proficient in Java), scales well, and its free until you hit Google's quotas.