How to make a website only viewable by android phones? - G1 Apps and Games

Does anyone know how to make a website that can only be viewed by an android phone? Like how the iPhone has websites only viewable by iPhones & iPod Touches? If you do can you post a tutorial on how it could be done? Thanks

Check the "User-Agent" from the HTTP request.

Short php code that switch the site (not tested, should work)
PHP:
<?php
if(preg_match("/android/", $_SERVER['HTTP_USER_AGENT']))
{
header('Location: androidSite.php');
}
else
{
header('Location: normalSite.php');
}
?>
Or you use getBrowser()
And then you have just to fit the design of the design or do what you want

The only way to actually stop non-android devices from accessing the website is to force the android users to install an android-only plugin to be installed in the browser (not supported by default browser) or to use a custom browser. Said plugin will authenticate with your service using only-you-know credentials, thus preventing any non-android device from accessing it. The user agent is REALLY REALLY simple to fake.

lbcoder said:
The only way to actually stop non-android devices from accessing the website is to force the android users to install an android-only plugin to be installed in the browser (not supported by default browser) or to use a custom browser. Said plugin will authenticate with your service using only-you-know credentials, thus preventing any non-android device from accessing it. The user agent is REALLY REALLY simple to fake.
Click to expand...
Click to collapse
If you want to be absolute about it, it would not be outside the realm of possibility to reverse engineer the authentication output of the hypothesized plugin and create a workaround. Furthermore, as the plugin would likely be an arm binary library, there's probably not that much preventing it from being run (reasonably) on any arm-based system.
user-agent is probably (i'm guessing) enough for what the OP has in mind.

Here you can generate your own script:
http://detectmobilebrowsers.mobi/
For example: iPhone devices redirect to ebay for buying a android device
and Android Browsers comes in.
PHP:
include('mobile_device_detect.php');
mobile_device_detect('http://shop.ebay.com/i.html?_nkw=android&_armrs=1&_from=&_ipg=','http://website.com/android.html',false,false,false,false,false,false);
Download the PHP script for non commercial sites here:
http://detectmobilebrowsers.mobi/#download

It may be possible to reverse engineer it (not necessarily in case it is actually well designed), but even if it is, it would be non-trivial, even if implemented by an idiot. Changing the UA *is* trivial, even to a complete moron.
And who says it has to be an arm binary library? Maybe go with something in javadroid instead.... and link it to the device IMEI... using a time-based crypto function that only runs on your server, i.e. device --> server crypto service --> device with magic enabler key --> web server authentication. You can make something REALLY MESSY that nobody would bother to reverse, and something that can only run in android (i.e. dalvik). Sure dalvik can be run on other 'nix systems, but by doing so, they become quasi-droid anyways...
jashsu said:
If you want to be absolute about it, it would not be outside the realm of possibility to reverse engineer the authentication output of the hypothesized plugin and create a workaround. Furthermore, as the plugin would likely be an arm binary library, there's probably not that much preventing it from being run (reasonably) on any arm-based system.
user-agent is probably (i'm guessing) enough for what the OP has in mind.
Click to expand...
Click to collapse

Related

TOR (The Onion Router) for android?

anyone heard of a tor (http://www.torproject.org/index.html.it) porting to android? do you know about such similar project for the android platform?
thx
fl3xo said:
anyone heard of a tor (http://www.torproject.org/index.html.it) porting to android? do you know about such similar project for the android platform?
thx
Click to expand...
Click to collapse
I suspect something malicious seeing as how that link ends in .html.it
xsnipuhx said:
I suspect something malicious seeing as how that link ends in .html.it
Click to expand...
Click to collapse
its just a language thing.
Just go here: http://www.torproject.org/index.html
.it prolly stands for Italian.
xsnipuhx said:
I suspect something malicious seeing as how that link ends in .html.it
Click to expand...
Click to collapse
sorry, i'm of italian language.
fl3xo said:
anyone heard of a tor (http://www.torproject.org/index.html.it) porting to android? do you know about such similar project for the android platform?
thx
Click to expand...
Click to collapse
There's nothing to "port". You download the source, compile it for ARM, run it, and configure your system to use it. Should work fine.
Note: You don't actually need to run tor locally on your phone if you don't want to... you can actually forward a port over SSH to some tor server (i.e., your home computer).
U're absolutely in right. Tor and provoxy, cross compiled for armv6, really works. It's really really slow, but i can't expect nothing more (i compiled various linux application for android, clamav for example, and they are all very slow).
The real problem is another. The default browser and other browsers found on the market, do not support SOCKS so i'm forced to set an HTTP proxy with provoxy.
Read https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#SOCKSAndDNS can discover that's a real nonsense: compile tor, install it, but you're not anonimazed at 100% against a clever attacker.
any idea!?
Right... the problem is that in using HTTP proxy, it uses the system-configured DNS server, which means that there is the potential to trace your activities (at least partially) based on the DNS servers you look up.
Using tor-dns-proxy.py (not torDNS since it is a windonkey-only prog) as your DNS server should do the trick... two issues there though; 1) you need a python interpreter to run this -- either compiler fun, debian, or ssh tunnel, 2) Networking is a little funny on 'droid -- I'm not sure that replacing the 4.2.2.2->4.2.2.4's from the resolv.conf would actually do it. Probably not. There is a property (getprop/setprop) for DNS which will probably work. Alternative is you rewrite tor-dns-proxy.py in C and that should definitely work.
This is actually quite strange... 4.2.2.2->4.2.2.4 are public DNS servers owned by level 3 communications. The DNS server set in the system properties is the one set by DHCP.... can't quite understand the use of the L3C servers except maybe as a fallback? Or commandline programs bypass the 'droid systems and use the L3C servers whereas the 'droid apps use the DHCP provided servers, i.e. put something in there so that terminal apps aren't broken by unavailability of 'droid system DNS server...
About your performance issues.... I've always found the tor network to be brutally slow, are you sure it is a hardware performance issue and not simply the network?
fl3xo said:
U're absolutely in right. Tor and provoxy, cross compiled for armv6, really works. It's really really slow, but i can't expect nothing more (i compiled various linux application for android, clamav for example, and they are all very slow).
The real problem is another. The default browser and other browsers found on the market, do not support SOCKS so i'm forced to set an HTTP proxy with provoxy.
Read https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#SOCKSAndDNS can discover that's a real nonsense: compile tor, install it, but you're not anonimazed at 100% against a clever attacker.
any idea!?
Click to expand...
Click to collapse
lbcoder said:
This is actually quite strange... 4.2.2.2->4.2.2.4 are public DNS servers owned by level 3 communications. The DNS server set in the system properties is the one set by DHCP.... can't quite understand the use of the L3C servers except maybe as a fallback? Or commandline programs bypass the 'droid systems and use the L3C servers whereas the 'droid apps use the DHCP provided servers, i.e. put something in there so that terminal apps aren't broken by unavailability of 'droid system DNS server...
Click to expand...
Click to collapse
I've confirmed that.... terminal apps use L3C servers from resolv.conf, 'droid apps use DHCP provided server, so if you run a tor DNS proxy locally, you can "setprop net.dns1 127.0.0.1", "setprop net.dns2 127.0.0.1", "echo "nameserver 127.0.0.1>/etc/resolv.conf"" ... etc.
lbcoder said:
About your performance issues.... I've always found the tor network to be brutally slow, are you sure it is a hardware performance issue and not simply the network?
Click to expand...
Click to collapse
I think because of static linking used for compiling libevent, openssl and tor source. I'm lack of free time to learn about ndk and android shared library, but probably this can be the first step to increase performance of a lot of application not specifically written for android.
With tor in background is quite impossible doing anything else.
I often use torpark for surfing (both win and linux version) and i think the incredible slowness on the phone is not justified by transit of streams on the onion network.
fl3xo said:
With tor in background is quite impossible doing anything else.
I often use torpark for surfing (both win and linux version) and i think the incredible slowness on the phone is not justified by transit of streams on the onion network.
Click to expand...
Click to collapse
Use a performance analyzer like top to see how much cpu your tor process is eating. Probably significant.
Using top, the tor load remains over 90%, even not actively surfing. What the mess?

Chromecast "emulator"

Since chromecast simply get an url or data to play content already "on the cloud", it will be possibile to emulate its behaviour with a chrome extension or something like that?
I'd love to use a chromecast-like interface on my desktop pc...
p.nightmare said:
Since chromecast simply get an url or data to play content already "on the cloud", it will be possibile to emulate its behaviour with a chrome extension or something like that?
I'd love to use a chromecast-like interface on my desktop pc...
Click to expand...
Click to collapse
I'd second that. I'd love to see the ability to chrome cast TO a (widows) chrome browser.
I have a number of MCE PC's connected to HD TV's and computer with monitors throughout the house that would be great as the recipients of "casting".
At work I'd like to be able to look something up on my phone and then sent it to my nearest PC browser...
htcsens2 said:
I'd second that. I'd love to see the ability to chrome cast TO a (widows) chrome browser.
I have a number of MCE PC's connected to HD TV's and computer with monitors throughout the house that would be great as the recipients of "casting".
At work I'd like to be able to look something up on my phone and then sent it to my nearest PC browser...
Click to expand...
Click to collapse
You mean like this? - http://goo.gl/NOoel
You won't be able to push Netflix to the browser the same way, but you can certainly do so with web content.
Jason_V said:
You mean like this? - http://goo.gl/NOoel
You won't be able to push Netflix to the browser the same way, but you can certainly do so with web content.
Click to expand...
Click to collapse
Yeah kind of like that but completely integrated into he chrome cast infrastructure and APIs so that it is compatible across all apps and is just one click on the new "cast" buttons that are cropping up at the top of all my Android apps now .... (Netflix, Youtube, Google music etc.)
There has been talk of 3rd party hardware makers being encouraged to support the standard so shouldn't be too hard to do proper chrome browser integration as a target.
I can't believe no one has thought of it yet :fingers-crossed:
here
p.nightmare said:
I can't believe no one has thought of it yet :fingers-crossed:
Click to expand...
Click to collapse
Here you go github.com/dz0ny/leapcast
dz0ny said:
Here you go github.com/dz0ny/leapcast
Click to expand...
Click to collapse
awesome! I will definitely keep an eye on that :good: :good:
Nodecast is also an option
p.nightmare said:
awesome! I will definitely keep an eye on that :good: :good:
Click to expand...
Click to collapse
Beside Leapcast (which is implemented in python), there is a JavaScript-/Node.js-Port in Git-Hub available. The port was made by Sebastian Mauer, the guy who wrote Cheapcast.
I spend the last weekend exeperimenting with both Nodecast and Cheapcast. Now Nodecast runs here in a Windows 8.1 virtual machine - and I'm able to stream from other Windows and Android-devices.
I wrote a few tutorials, how to setup Nodecast on Windows (it also possible to use similar steps in Mac OS X or Linux). The tutorial is currently only in German - but Google translate shall do the job.
Nodecast setup for Windows-tutorial: http://goo.gl/2ZU5Mm
Maybe it helps
Leapcast 2.0?
Anyone still working on Leapcast now that the 2.0 SDK came out? Lots of changes like going from DIAL to mDNS for one. Leapcast was very handy for running on a PC that was already connected to the TV. Sadly, all the apps compiled against the newer SDK won't work with it. They won't even discover it as a Chromecast now.
https://chrome.google.com/webstore/...oakcolegkcddbk?utm_source=chrome-app-launcher
This was an attempt to do this but I never got it to work on my side.
Unfortunately, SDK 2.0 requires the Chromecast to calculate key using certificate issued by Google. We will probably wait a long time to see leapcast, CheapCast and NodeCast working again. It might not be even possible at all.
Johny_G said:
Unfortunately, SDK 2.0 requires the Chromecast to calcate key using certificate issued by Google. We will probably wait a long time to see leapcast, CheapCast and NodeCast working again. It might not be even possible at all.
Click to expand...
Click to collapse
Not the best news, but thanks Johny for the insight.
If all the rooted ROMs can handle SDK 2.0 and Google's new authentication, there's probably a way to get the emulators up and running with it. Just a matter of time and determination I hope. I wish Google was a bit more open on the software side for the Chromecast. Having the new SDK for sender/receiver apps is great, but allowing companie/people to recreate the piece in the middle would also benefit them I would think. It would be tough for people to beat the Chromecast's price tag, but having other options would be good.
Averix said:
Not the best news, but thanks Johny for the insight.
If all the rooted ROMs can handle SDK 2.0 and Google's new authentication, there's probably a way to get the emulators up and running with it. Just a matter of time and determination I hope. I wish Google was a bit more open on the software side for the Chromecast. Having the new SDK for sender/receiver apps is great, but allowing companie/people to recreate the piece in the middle would also benefit them I would think. It would be tough for people to beat the Chromecast's price tag, but having other options would be good.
Click to expand...
Click to collapse
I wouldn't hold my breath. The ROMs get the upgrade essentially "for free" as it's part of the stock ROM code. Maybe the desktop players can take advantage of that, probably not, especially if it's a binary or relying on some kind of TPM or other function in the Chromecast hardware itself.
Having options is good for the consumer, but for a manufacturer, more options = more competition = more mouths to feed = lower margins = more work to keep competitive. One of the reasons Apple is so aggressive about protecting the exclusivity of its platform.
Warning! TL;DR below!
The point is, that every single Chromecast device has its unique ID, its unique MAC Address, and its (unique?) signed certificate. Also, it might have some kind of ID generated when you set the device up (similar to Push ID used in Google Cloud Messaging). Some of those (maybe all of them) have to play together to calculate the key. As soon as you pull the certificate out and put it in different environment, the result of the calculation won't match the SDK's expectations. So there is pretty good chance, that bypassing the key might be completely impossible without modifying the SDK itself (and it would require the developers to actually invest some effort to support these alternatives) and maybe the Chromecast device software as well. But who knows, the guys involved in those "emulators" are way smarter than most of us and might figure something out .
This is the biggest issue. The other one is, that everything has changed in the new SDK/API, and all of the methods used in those emulators are now deprecated and need to be implemented all over again in a different fashion to work with 2.0. This might actually be a good thing, since developers involved in testing of the way-too-rushed 1.0 seemed not to have a lot of kind words to say about it. I have attended one Chromcast block on a local conference, and it was basically 2 hours of swearing.
I've stumbled upon these issues today (and a bit of yesterday), trying to get my app working in the office (I forgot my Chromecast at home - again), and here are some sources if you are more interested in the topic:
https://plus.google.com/+SebastianMauer/posts/83hTniKEDwN
https://github.com/dz0ny/leapcast/issues/29#issuecomment-37288608
https://github.com/dz0ny/leapcast/issues/96
As a developer, I have to say, that Google is making things awfully difficult lately, and the "don't be evil" policy seems to slowly fade away. They put way too much effort into marketing decisions, and have no time to properly test APIs and SDKs before they spit them out . Mostly, when trying some new Android-related technology (to be honest, its mostly Google Play Services technology these days, so AOSP starts to be completely useless), I spend most of the time working around things that nobody thought of (i.e. the Translucency API in KitKat was obviously tailored for Google Now Launcher, and is a huge PITA tu be used elsewhere) and fixing the broken samples that come with them. It might seem weird, but sometimes (say hello to Play Games Services and in-app billing v1+v2!) the sample is inseparable part of the final implementation, so you have to fix their rushed code anyway. I shouldn't be complaining, since things like that raise the value of developers willing to go through all of this in their spare time, but the change of philosophy still bugs me a lot. Google and Android used to be strongly community-oriented, and now the marketing is pulling it all away.
Should the goal really be to emulate a Chromecast or should the effort be geared toward supporting DIAL protocol?
I would think the latter is the better option because you could support whatever the hardware supports without the limitations imposed on us from CCast Hardware.
Maybe I'm wrong but I always looked at DIAL as an extension of UPnP and separate from the CCast itself and the Chromecast SDK as not much more than a kit to add DIAL support to Android (and iOS) not meant to build anything on the CCast side at all.
Other companies like Roku are planning some DIAL support and I doubt highly they will have a CCast ID and Certificate.
In the end I think we will get something similar to this functionality from a player app like VLC on PC and MAC, or perhaps in Chrome itself.
Cause I think (and I may be totally wrong here) that it isn't the Apps we use that checks the Whitelist and IDs it is the CCast itself that when invoked to load a player app to stream it also checks the whitelist and tests security before it plays.
SO if someone created a program for PC that made the PC announce itself as a DIAL capable device that when connected to loads the app into Chrome, I bet most of it would work.
Might not work with any of the DRM sites like Netflix and Hulu but for things like local content and unprotected streams I see no reason why it wouldn't.
In fact I bet the trouble some are having with Channels in Plex and others would go away because a PC Chrome instance would be able to play many more Transport types than a CCast can currently.
Asphyx said:
Should the goal really be to emulate a Chromecast or should the effort be geared toward supporting DIAL protocol?
I would think the latter is the better option because you could support whatever the hardware supports without the limitations imposed on us from CCast Hardware.
Maybe I'm wrong but I always looked at DIAL as an extension of UPnP and separate from the CCast itself and the Chromecast SDK as not much more than a kit to add DIAL support to Android (and iOS) not meant to build anything on the CCast side at all.
.......
Click to expand...
Click to collapse
I agree with you. I could actually care less about emulating the specifics of what's in the Chromecast hardware. What I do want is the ability for those unrestricted apps (ie not Netflix) to be able to use their Cast button to find, connect to, and use whatever the emulator is. The new CC SDK doesn't use DIAL to do the initial search any longer. It now uses mDNS. All of the previous apps (YouTube, Pandora, etc.) are still using the old API and DIAL discovery which appears to be backward compatible with the new Chromecast stick software. If you look at the debug logs of the stick, both the v1 and v2 APIs are accounted for. As for Roku, my guess (I haven't started digging in on what they're up to yet) is that they have an app that is using DIAL for discovering the Roku and then just acting as a remote control for all the box functions. Chromecast was a bit more unique since it could basically load up anything from the web as a receiver/playback client since the software is just basically a Chrome browser with some wrappers around it. That's what made it much more dynamic without having to load "channels" in the box within a custom framework like Roku does.
And Bhiga, as for economics on Google providing the software to other hardware makers, I think it it would actually be in their best interest. The Chromecast right now has to be either close to at cost for them or a loss leader. If they can get the Cast API to become a default standard on new consumer devices, that would help them take over that space. To me, that is such a better proposition for them than trying to get the complexities of something like GoogleTV into TVs.
Averix said:
And Bhiga, as for economics on Google providing the software to other hardware makers, I think it it would actually be in their best interest. The Chromecast right now has to be either close to at cost for them or a loss leader. If they can get the Cast API to become a default standard on new consumer devices, that would help them take over that space. To me, that is such a better proposition for them than trying to get the complexities of something like GoogleTV into TVs.
Click to expand...
Click to collapse
mDNS actually makes discovery a lot easier - mDNS = Bonjour = what Apple and TiVo use for discovery already.
I agree with you that adoption of the API and protocols is the goal. At this stage an Android emulator probably would help adoption, but my point was that a desktop emulator doesn't necessarily add to the rate. If someone starts looking to using a desktop because they think they don't need a Google Cast device, they'll likely runs across Plex and Miracast and may decide they don't need Google Cast at all.
bhiga said:
I agree with you that adoption of the API and protocols is the goal.
Click to expand...
Click to collapse
I wish Google agreed with us.
Averix said:
I wish Google agreed with us.
Click to expand...
Click to collapse
I bet anything there are some at Google who do agree with us but when your as BIG a company as Google is it takes forever to get everyone on board and thinking along the same lines enough to manifest it into an end product.
In the end what all if this really tells us is how much DLNA Consortium has failed to standardize Media Distribution by not going far enough and thinking of it from the end user ergonomic experience.
If this discovery and launch capability was more fleshed out in the DLNA specs we might not be talking about DIAL and mDNS right now.
At some point all these protocols (DLNA, UPnP, DIAL) should be merged into one standardized protocol that any platform can use.
Probably years away though...
Asphyx said:
If this discovery and launch capability was more fleshed out in the DLNA specs we might not be talking about DIAL and mDNS right now.
At some point all these protocols (DLNA, UPnP, DIAL) should be merged into one standardized protocol that any platform can use.
Probably years away though...
Click to expand...
Click to collapse
My concern is that unless Google is willing to push this as a standard rather than just apps for one dongle, it will only be a matter of time before the giant (un)friendly fruit company swoops in and AirPlay becomes the defacto standard that all TV makers, set top makers, and anyone else are forced to build in. It's not quite the same as how DLNA and UPnP have become sort of irrelevant, but it could pan out that way for the Google Cast API without more hardware devices having the capability built in. Time and market pressure will tell I guess.

Idea for general (all phone brands) interop bypass (NOT UNLOCK) - but can it be done?

MOD EDIT: Thread closed by OP's request.
If you have used reker's proxy, you will notice the "by @reker" entry on top of the list with search results. If we could do the same with the SamWP8 tool (and link his app to a similar app page), maybe we could bypass the interop unlock requirement (the error you receive if you try to sideload a app with interop capabilities on a non-interop unlocked phone) because apps installed in the store don't get this check (as compu829 demonstrated by saying the original Microsoft youtube app contained the ID_CAP_MEDIALIB_PHOTO_FULL entry in the WMAppManifest.xml, and how could you install this app on phones without having an interop-unlock, exactly : the app was installed through the store).
Correct me if I'm wrong, I'm still learning how the WP OS is build and how it functions.
To admins, I can't post this in the Windows Phone 8 Development and Hacking thread because I don't have the required 10 posts yet.
Seems like a feasible idea, I'll take a look on how the store works but I think the XAP's still need to be signed by a trusted root to this works.
I'll post any updates here as I can't post on dev section x.x
This idea is older than WP8, and it doesn't work. First of all, the apps themselves (as opposed to the data about them) are delivered over an encrypted channel that uses certificate pinning; we can't intercept or modify it. Second, the Store will only install Microsoft-signed (and probably only DRMed) apps. Unsigned apps failed to install through this channel back on WP7. Third, even if we could install the apps this way, hey would still be unsigned. The OS would thus treat them as developer apps. Developer apps on phones where the MaxUnsignedApp registry value is less than 300 are limited to the standard third-party app capabilities, meaning no INTEROPSERVICES or similar.
By all means, go ahead and poke at it - WP8 has surprised me before with weaknesses it has relative to WP7 - but don't expect this to work even if you get past the first issue (which *does* exist on WP8).
Did someone contact reker? We need to figure out how he did this. I can't tell if he succeeded into linking an app to the custom app page because when I click install, I get an error message : "This app is not available for your region", maybe I need to change my region to China and try again.
@GoodDayToDie : Won't the phone be tricked by the store installation, thinking it's an encrypted app? Does it matter whether the app is encrypted or not if someone manages to link an app to a custom app page, because Windows Phone app weren't always encrypted to my recollection (this may predate the WP8 era, if so we're screwed ). And if it matters, can we encrypt the app ourselves by using a encryption method like AES, SHA, MD5, ... ? Unlikely hypothesis, but if someone would succeed in doing all this, could the SamWP8 tool be used to increase the HKEY_Local_Machine\Software\Microsoft\DeviceReg\Install MaxUnsignedApp value beyond 300 to unlock interop capabilities? Are the EnableAllSideloading.xap and Bootstapper.xap also usable on other WP than Samsung or do they need to be recoded to work on WP of other manufacturers?
EnableAllSideloading.xap and Bootstapper.xap depends on Samsung diagnosis tool and it's RPC server that runs on LocalSystem account that has "unlimited" registry access, it's not available on other manufacturers.
Tonight I will start my experiments on it.
greenboxal said:
EnableAllSideloading.xap and Bootstapper.xap depends on Samsung diagnosis tool and it's RPC server that runs on LocalSystem account that has "unlimited" registry access, it's not available on other manufacturers.
Tonight I will start my experiments on it.
Click to expand...
Click to collapse
I was wondering how you could flash the bootloader of Android on the Ativ S as the Secure Boot made by Qualcomm is locked by a blown fuse (it's a hardware issue, not only a software issue you must deal with).
bruce142 said:
I was wondering how you could flash the bootloader of Android on the Ativ S as the Secure Boot made by Qualcomm is locked by a blown fuse (it's a hardware issue, not only a software issue you must deal with).
Click to expand...
Click to collapse
SecureBoot checks signature of the bootloader by a known public key, the case is that Samsumg uses the *same* key for android and wp8 bootloaders.
greenboxal said:
SecureBoot checks signature of the bootloader by a known public key, the case is that Samsumg uses the *same* key for android and wp8 bootloaders.
Click to expand...
Click to collapse
If this checks out, what does it mean, could we flash android on the Ativ S? Or could you even make a dual-boot scenario possible? Great find by the way, :good:.
bruce142 said:
If this checks out, what does it mean, could we flash android on the Ativ S? Or could you even make a dual-boot scenario possible? Great find by the way, :good:.
Click to expand...
Click to collapse
Yes, it's the same hardware as SGS3 Snapdragon 4 version. But let go back to the topic, if you have some question about it send me a PM or post on my R&D thread
greenboxal said:
Yes, it's the same hardware as SGS3 Snapdragon 4 version. But let go back to the topic, if you have some question about it send me a PM or post on my R&D thread
Click to expand...
Click to collapse
I can't post yet in your R&D thread because I don't have the met the 10 post requirement yet.
Edit : I can install reker's "by @ reker" app when changing the region to China, and this is interesting (pasted directly from his WMAppManifest.xml) :
<?xml version="1.0" encoding="UTF-8"?>
-<Deployment AppPlatformVersion="8.0" xmlns="http://schemas.microsoft.com/windowsphone/2012/deployment">
<DefaultLanguage xmlns="" code="zh-CN"/>
-<Languages xmlns="">
<Language code="zh-Hans"/>
</Languages>
-<App xmlns="" PublisherId="{9b1d1b5b-f206-4b27-a139-89659591061b}" IsBeta="false" PublisherID="{b259af64-2f7d-4a89-983f-836325480629}" Publisher="智机网_WPXAP" Description="智机市场官方版" Author="智机网_WPXAP" Genre="apps.normal" Version="2.0.0.0" RuntimeType="Silverlight" Title="智机市场" ProductID="{59bd999b-496e-4e05-afce-94b67ba6e862}">
<IconPath IsResource="false" IsRelative="true">Assets\ApplicationIcon.png</IconPath>
-<Capabilities>
<Capability Name="ID_CAP_IDENTITY_DEVICE"/>
<Capability Name="ID_CAP_IDENTITY_USER"/>
<Capability Name="ID_CAP_NETWORKING"/>
<Capability Name="ID_CAP_PUSH_NOTIFICATION"/>
<Capability Name="ID_CAP_SENSORS"/>
<Capability Name="ID_CAP_WEBBROWSERCOMPONENT"/>
<Capability Name="ID_CAP_APPOINTMENTS"/>
</Capabilities>
-<Tasks>
<DefaultTask Name="_default" ActivationPolicy="Resume" NavigationPage="MainPage.xaml"/>
</Tasks>
-<Tokens>
-<PrimaryToken TaskName="_default" TokenID="WpXapToken">
-<TemplateFlip>
<SmallImageURI IsResource="false" IsRelative="true">Assets\Tiles\FlipCycleTileSmall.png</SmallImageURI>
<Count>0</Count>
<BackgroundImageURI IsResource="false" IsRelative="true">Assets\Tiles\FlipCycleTileMedium.png</BackgroundImageURI>
<Title/>
<BackContent/>
<BackBackgroundImageURI/>
<BackTitle/>
<DeviceLockImageURI/>
<HasLarge/>
</TemplateFlip>
</PrimaryToken>
</Tokens>
-<Extensions>
<Protocol Name="wpxap" TaskID="_default" NavUriFragment="encodedLaunchUri=%s"/>
</Extensions>
-<ScreenResolutions>
<ScreenResolution Name="ID_RESOLUTION_WVGA"/>
<ScreenResolution Name="ID_RESOLUTION_WXGA"/>
<ScreenResolution Name="ID_RESOLUTION_HD720P"/>
</ScreenResolutions>
</App>
</Deployment>
@bruce142: The store may or may not care about the DRM - that was in place by the time WP8 came out, but WP7 didn't have it for a long time - but it absolutely cares about the signatures. More accurately, actually, the XAP install code (which the store invokes) cares about the signatures. There's no "tricking" it; the signature is quite plainly there, or it's not. You don't exactly have to look hard to find it. The app launch code *also* cares about signatures. Non-sideloaded apps won't have ID_CAP_DEVELOPERUNLOCK, which is a special capability automatically added to sideloaded apps to allow them to launch even though they don't have signatures. Without that capability (or rather, without the SID which the token of an app with that capability gets at chamber creation), the kernel will refuse to load the unsigned executable binaries.
GoodDayToDie said:
@bruce142: The store may or may not care about the DRM - that was in place by the time WP8 came out, but WP7 didn't have it for a long time - but it absolutely cares about the signatures. More accurately, actually, the XAP install code (which the store invokes) cares about the signatures. There's no "tricking" it; the signature is quite plainly there, or it's not. You don't exactly have to look hard to find it. The app launch code *also* cares about signatures. Non-sideloaded apps won't have ID_CAP_DEVELOPERUNLOCK, which is a special capability automatically added to sideloaded apps to allow them to launch even though they don't have signatures. Without that capability (or rather, without the SID which the token of an app with that capability gets at chamber creation), the kernel will refuse to load the unsigned executable binaries.
Click to expand...
Click to collapse
I understand, the app has to be signed before it can be uploaded to the store, but does the developer of an app not sign its app when he assembles it or does the store sign the app itself? I see no threshold here, as signing an app is not a problem, or is it? I still admire that reker managed to make an app page by using a proxy which isn't normally there and successfully linked an app to it, which I was able to download and it contained elevated capabilities, I thought the ID_CAP capabilities were all interop capabilities (correct me if I'm wrong). Could someone make the old version of the Samsung Diagnostic tool available this way which users with other WP than the Ativ S/Ativ S Neo might able to use to modify the MaxAppUnsigned value and unlock more capabilities, or is this impossible? If only we knew how reker did this, ...
bruce142 said:
I understand, the app has to be signed before it can be uploaded to the store, but does the developer of an app not sign its app when he assembles it or does the store sign the app itself? I see no threshold here, as signing an app is not a problem, or is it? I still admire that reker managed to make an app page by using a proxy which isn't normally there and successfully linked an app to it, which I was able to download and it contained elevated capabilities, I thought the ID_CAP capabilities were all interop capabilities (correct me if I'm wrong). Could someone make the old version of the Samsung Diagnostic tool available this way which users with other WP than the Ativ S/Ativ S Neo might able to use to modify the MaxAppUnsigned value and unlock more capabilities, or is this impossible? If only we knew how reker did this, ...
Click to expand...
Click to collapse
ID_CAP's aren't all Interop capabilities, most of them are available for every app, and the ones you posted are, afaik, normal ones that don't need and Interop Unlock.
GoodDayToDie is right. His answer is very detail.
You may replace a xap with homebrew one in theory, but phone will never launch a store app without MS signature. Every single dll is signed by MS, and phone will check it.
Few questions and opinions:
The signature is used only for allowing the app to be installed on the device right?
Is the signature after added to the app a constant for the whole time or is it changing from time to time?
If the signature is used only for allowing an app to be installed, can we somehow make an virtual MS Server (Using FIddler for example), who can clone the real one and give us an offline signing of the app`s when installing them?
Can a signature be pulled off from an original installed app and the be put in to an another one?
cevi said:
Few questions and opinions:
The signature is used only for allowing the app to be installed on the device right?
Is the signature after added to the app a constant for the whole time or is it changing from time to time?
If the signature is used only for allowing an app to be installed, can we somehow make an virtual MS Server (Using FIddler for example), who can clone the real one and give us an offline signing of the app`s when installing them?
Can a signature be pulled off from an original installed app and the be put in to an another one?
Click to expand...
Click to collapse
The signature is checked when running the application, every PE image on the device should have a valid digital signature.
You don't seem to understand how it works, the signature is any kind of hash, let's say, SHA256, of the entire file. This signature is encrypted with the signee private key. If you change one single bit of the file, the hash will change, and so the signature will be invalid.
There are few ways to exploit this kind of security, like generating a hash collision or breaking the private key, both would take million of years.
I do really don't understand the whole process I was just giving some noob suggestions.
It's strange for me that after the app is installed it doesn't require an active network to start.So I am wondering if it could be possible to trick the app to start somehow?
Sent from my Windows Phone 8S by HTC using Tapatalk
While suggestions are always welcome, you really should read up on digital signatures and how they work. @greenboxal's explanation seems like it might have gone over your head a bit... The fact that you didn't understand about ID_CAP_* also means you've probably never looked at WP development, or even looked at the manifest of a WP app, either; you may want to do some of that. Until you do so, it would be only by the sheerest crazy luck that you managed to hit on a solution, because you don't even know what you're actually trying to accomplish!
For example, it's pretty obvious why there's no need for a network connection to start an app, once it's installed. There's a license on WP apps, which is checked when the app is installed (requires Internet access) and is then valid for some time (never checked how long exactly, probably years though). The signatures are different. When the app is installed, the signing certificate (which contains the public key, but not the private key, of the keypair used to sign the app) is extracted from the app and checked to see whether it is trusted by Microsoft (the phone has Microsoft's certificates embedded in the OS; it doesn't need a network connection for this). When you try to launch the app, it checks to see whether the signatures on each binary (which are, as greenboxal mentioned, created by taking the cryptographically secure hash of the binary and then applying something like encryption to it using the private key) are valid (it applies the public key to the signature to get the signing hash back, and checks whether that hash still matches). We (developers) can't fake store signatures ourselves, because we don't have Microsoft's private keys. Therefore the phone wouldn't trust our signatures (make sure you read up on the concept of a "chain of trust" and the concepts of public key cryptography and public key infrastructure in general too) and would refuse to load the binaries. The process of verifying signatures is just a bunch of math once you've already got the public keys, and those are, as I said, extracted from the app at install (for individual apps) and stored in WP8 itself (for the Store-wide signing key); no need to access the network.
Thanks guys for clearing this up for me.I know that it`s not that simple as i say.Anyway, just keep up the good work.We the Noobs depend from you.
If you are not those who you really are i personally know that i will never buy a Windows Phone again.You are the reason for the MS`s profit.
Sorry again for jumping in into this "battle".
This thread is becoming way out of hand, question is asked and answered : adding a app via proxy which may interop-unlock other WP is not possible. Locking thread now.
PS : yay, ten posts.

Accessing features in Windows phone 8(.1) development

When developing an application for desktop windows, there's always a way to access functionality - sometimes through back doors like the registry, etc... I'm developing an application for Windows Phone 8.1, but there are certain pieces of functionality that aren't exposed in the PRT APIset that is available to me. For example, we want to ensure that the user has password protection on the lock screen when using the application. There doesn't seem to be any associated APIs to readily use. So my question is, are there back door ways to do such things? How? Is there a way to access ALL system settings - like a registry or something of the like?
proch said:
When developing an application for desktop windows, there's always a way to access functionality - sometimes through back doors like the registry, etc... I'm developing an application for Windows Phone 8.1, but there are certain pieces of functionality that aren't exposed in the PRT APIset that is available to me. For example, we want to ensure that the user has password protection on the lock screen when using the application. There doesn't seem to be any associated APIs to readily use. So my question is, are there back door ways to do such things? How? Is there a way to access ALL system settings - like a registry or something of the like?
Click to expand...
Click to collapse
Another question would be - if something like intune can enforce lock screen password policies, shouldn't I be able to do it the same way that intune does it? If so, how? If not - why not?
It's not possible to check if user enabled lock screen password or not as far as I know
but if you want to made your app secure (because it may include important data)
you can create a password for your own application !
I did it in a little notepad app my password page allow user to set a password with all English and Persian Characters , numbers and special Chars like [email protected]#$ and etc.
Sent from my RM-994_eu_poland_1183 using Tapatalk
It's pretty easy to check, using the registry, but at least in 8.0 that's not allowed at all for store apps (your app would get rejected). I don't know if the rules changed for 8.1. There are ways to sneak past the store checks, but they could pull your app from the store if they ever found out. I know of at least three ways to access the registry APIs (4 in WP8.1) and two of them are pretty hard to detect unless somebody checks for them specifically... but they're the kind of technique that malware uses, so such checks may be in place.
I don't know what InTune is doing, specifically - I'd need to pull the app apart to see - but there are special application capabilities (not normally available to third-party developers) that can query and even set policies. Apps without those capabilities will get Access Denied if they try to use the same methods though, and normally you can't add those capabilities to your app.
GoodDayToDie said:
It's pretty easy to check, using the registry, but at least in 8.0 that's not allowed at all for store apps (your app would get rejected). I don't know if the rules changed for 8.1. There are ways to sneak past the store checks, but they could pull your app from the store if they ever found out. I know of at least three ways to access the registry APIs (4 in WP8.1) and two of them are pretty hard to detect unless somebody checks for them specifically... but they're the kind of technique that malware uses, so such checks may be in place.
I don't know what InTune is doing, specifically - I'd need to pull the app apart to see - but there are special application capabilities (not normally available to third-party developers) that can query and even set policies. Apps without those capabilities will get Access Denied if they try to use the same methods though, and normally you can't add those capabilities to your app.
Click to expand...
Click to collapse
Thanks for this great and detailed information. See, that's exactly what I'd do if I were developing a desktop app - since i know that intune does it, I'd figure out how intune does it and voila. I'm finally getting over the idea that the same methodologies apply to windows phone development.
For my own educational purposes (since I want to understand this platform better), I would really like to know specifically how you go about accessing the registry APIs (for example). If there's any way for you to describe any number of these methods, I'd greatly appreciate it. Thanks again!
My NativeAccess libraries (check my signature, or search on the forum or on Codeplex) contain an example of one way to access the registry. The code is open-source; you may use the libraries as-is (don't expect to get them into the store, though I won't stop you from trying), use the source code as a reference, or modify/build them yourself; the license is very liberal (MS Permissive). The functions I use are generally documented on MSDN, in the desktop APIs section; the phone has the same functions, although the DLL names are changed and the header files hide them.

Windows phone security- is there one and if so, how does it work?

Hi,
So, Android has a permission system which albeit somewhat flawed (malware can gain permissions not intended for it) and not very suitable for laymen (non rooted phones have to either accept all permissions or be denied from the app. In many programs people don't have the luxury of not using them) theoretically has merit. IOS has...well actually I'm not sure how it works security wise but I pressume it creates sandboxes for each app, layman wise it is reasonable since you (theoretically) can deny access for all programs to certain components (no need to jailbreak).
How does WP works?
Thank you.
Security is different, apps can't do as much as on android. But iOS is better in this, because capabilities are like in Android: you can see what the apps want prior to installing them, but blocking some of them isn't possible.
I am very saddened to hear this.
Is there an ability in place similar to Androids rooting?
Also, what do you mean by "apps can't do as much as on android"?
Thank you!
@th0mas96's post is technically *mostly* accurate but very confusing and doesn't actually answer your question at all.
The short version is that WP apps use a capability-and-sandbox system much like iOS and Android, with each app getting a sandbox that gives it read-only access to the app-specific install directory and the global system directory, read/write access to the app-specific data directory, and access to whatever other stuff is specified in the capabilities. Capabilities are currently all-or-nothing; you can't reject or disable any capability except by just not installing the app.
I could go into the technical implementation of the system a bit, but the short version is that WP8 apps use fairly standard NT (as in the NT kernel that is at the core of PC Windows versions) security features: each app has a unique token (rather than inheriting the token of the process that crated it, the way it normally works on PC but very much like how Windows Store apps work on Win8) which contains the app-specific Security IDentifier (SID) that gives access to the app directories, plus the SIDs of the various capabilities that the app has.
What @th0mas96 was talking about is that WP capabilities usable by third-party developers are much more restrictive than they are on Android. For example, Android allows an app have full read-write access to your contacts or to send SMS directly. WP8 doesn't allow that unless you use capabilities that are normally neither allowed on the store nor allowed in sideloaded apps (Microsoft's code can have them, of course - that's how the built-in SMS app works - but not Joe Random Dev). The downside of this is obvious; some app behaviors (like a full replacement for the SMS app or phone dialer) are not possible. The upside is that apps are *way* more limited in how malicious they can be; the most common way that Android malware makes money (remember, the vast majority of malware is for profit) is by sending SMS to "premium" numbers. On WP8, an app could *compose* such a message, but it couldn't *send* it for you (unless it had a capability that third-party apps normally can't have) so you'd have a chance to see what the app was doing and decide not to send that message after all.
This means that the ability to disable capabilities is much less important on WP8 than on Android.
Oh, then those restrictions are actually good news.
Aside from from your typical run-of-the-mill malware my main concern was actually privacy. I have a huge displeasure from apps like Whatsapp which on android takes a whole plethora of liberties and was hoping that perhaps some other system may contain their user data voracity and their ability to control the divice their on.
Is there any link in which I could see the full list of those restrictions?
I'm still downhearted from not having a more fine grained control of the system but maybe it still has it uses in some scenarios...
Also, thank you very much for your comprehensive explanation!
i found a tiny file stored inside some of the unbranded htc accord RUUs. its call disablewriteprotect.test. the only thing the file contains is a sentence stating write protection will be disabled until this file is removed. followed by a music note and some other symbol. so there you go thats how you make your entire htc 8x read and write. one file less than 1kb in size. ROOT!
but how can we flash this file. im still working on it. this file is located within the efi partition which also houses the ffuloader.efi, and severl other efi executables. check this post http://forum.xda-developers.com/showthread.php?p=53687985#post53687985
you wont find that on google search.
Sent from my Galaxy Nexus using XDA Free mobile app
Window phone Security Issues
Your Windows Phone is secure by design. Many security features are turned on by default. For example, apps you download from the Windows Phone Store are tested by Microsoft and encrypted to make sure you don't accidentally install malicious software on your Windows phone.
Set a password
Setting up Kid's Corner
If you've ever handed your smartphone to a child, you know that they can quickly get into all sorts of apps and settings they shouldn't. No such worries with Kid's Corner, a place on your phone where your child can play with the games, apps, music and videos
Use the free Find My Phone service
Say yes to updates . check out more at Master Software Solutions - Windows Phone Update
grilledcheesesandwich said:
i found a tiny file stored inside some of the unbranded htc accord RUUs. its call disablewriteprotect.test. the only thing the file contains is a sentence stating write protection will be disabled until this file is removed. followed by a music note and some other symbol. so there you go thats how you make your entire htc 8x read and write. one file less than 1kb in size. ROOT!
but how can we flash this file. im still working on it. this file is located within the efi partition which also houses the ffuloader.efi, and severl other efi executables. check this post http://forum.xda-developers.com/showthread.php?p=53687985#post53687985
you wont find that on google search.
Sent from my Galaxy Nexus using XDA Free mobile app
Click to expand...
Click to collapse
Sounds interesting.
Not something I'd try )) but interesting.
Aman Raien said:
Your Windows Phone is secure by design. Many security features are turned on by default. For example, apps you download from the Windows Phone Store are tested by Microsoft and encrypted to make sure you don't accidentally install malicious software on your Windows phone.
Set a password
Setting up Kid's Corner
If you've ever handed your smartphone to a child, you know that they can quickly get into all sorts of apps and settings they shouldn't. No such worries with Kid's Corner, a place on your phone where your child can play with the games, apps, music and videos
Use the free Find My Phone service
Say yes to updates . check out more at Master Software Solutions - Windows Phone Update
Click to expand...
Click to collapse
I pressume this is an advert for Master Software Solutions, but nevertheless I did google the term you suggested and got nil results. I also browsed the main site of the company itself but haven't found anything related, nor did I find anything on their facebook page.
Regardless, I checked out this Kids corner thing, it's cute but not really security related...
Thx anyway.

Categories

Resources