Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Uninstall and reinstall bypasses admin password #556

Closed
yanokwa opened this issue Mar 9, 2017 · 13 comments
Closed

Uninstall and reinstall bypasses admin password #556

yanokwa opened this issue Mar 9, 2017 · 13 comments
Labels
enhancement needs discussion

Comments

@yanokwa
Copy link
Member

yanokwa commented Mar 9, 2017

If you set an admin password, and uninstall/reininstall the application, you get access to all the functions and that were previously disabled. We should explore either ..

  1. Adding documentation to make this behavior clear. Admin password was never meant to be robust. It's more of a convenience feature.
  2. Adding functionality to reset all data when you uninstall the application.
  3. Adding functionality to persist the admin password on reset.
@lakshyagupta21
Copy link
Contributor

Whenever app gets removed it forgets everything as it erases everything even SharedPreferences so we can't have any other option to save user data or preferences, we can do one thing we let user set his/her google account as a admin credentials so that whenever app gets reinstalled it will ask for google account and by doing that we can retrieve back our function preferences.And even if we reset data then also we will be able to use its google account for knowing the function preferences.

@shobhitagarwal1612
Copy link
Contributor

shobhitagarwal1612 commented Mar 12, 2017
edited
Loading

@lognaturel @nribeka @yanokwa According to me, one will only use admin password when he/she doesn't want other people to interfere with the current settings. So, if the app can be uninstalled or reinstalled without asking the permission of owner, then it is a serious security issue. So what I want to propose is to prevent install/uninstall of app if the admin password is set up.
One thing that we can do is make use of Device Administration API:

  1. Setting up admin password will make the app a device administrator
  2. Now the app can't be uninstalled without the permission of the owner of the device
  3. Even if anyone tries to uninstall or reinstall the app, he/she will be greeted with a screen displaying that the app can't be uninstalled without the permission of the admin
  4. On removing the password, the app will be removed from the device administrators list

I have also tried setting up the device admin settings in the app and it works perfectly. How does this idea sound?

@shobhitagarwal1612
Copy link
Contributor

Another thing that can be done is to retain the Admin password even after uninstall by saving the password in a file in sdcard instead of shared preferences. When a user uninstalls the app, the odk folder doesn't gets removed. So it can be stored there in encrypted form in a hidden file.
So when the app gets reinstalled, the password is still available for authentication

@jnordling
Copy link
Contributor

We use sqlite databases to store data about the instances, forms etc. sqlite has SQL standard encrypted formats. Just a thought when reading this.

@yanokwa
Copy link
Member Author

yanokwa commented Apr 18, 2017

@shobhitagarwal1612 I'm liking the device administration idea as the solution to this. Can you (or @lognaturel or @grzesiek2010) think of any downsides?

@shobhitagarwal1612
Copy link
Contributor

shobhitagarwal1612 commented May 23, 2017
edited
Loading

Hey @yanokwa. Sorry for replying so late. I can't think of any downsides to this approach. Although, there is one thing that should be discussed. Now that the admin password is shared via QR code, so either we should remove the admin password from QR code or make the password visible after successful importing

@grzesiek2010
Copy link
Member

grzesiek2010 commented Sep 7, 2017
edited
Loading

@lognaturel @yanokwa @shobhitagarwal1612
I investigated this issue and the Shobhit's proposal. Unfortunately we can't use mentioned API.
It allow us to block uninstalling the app but user can disable this in device settings, so it's not a perfect solution (but maybe it's enough for those not very familiar with new technologies). I've created new issue for that and we can continue discussion and investigation there.
When it comes to the password, the only password we can set using this api is a pass using to unlock the screen.
@shobhitagarwal1612 thanks again for your time. We were talking today and Shobhit can confirm my thoughts.

To solve this issue I decided just to use hidden file which will be created on external storage. In this file we will be storing the admin pass (md5 hash). Additionally the file should be stored on external storage (as I said) but not in odk directory as sneaky users might try to remove this folder.

This was referenced Sep 7, 2017
Closed
Closed
@yanokwa
Copy link
Member Author

yanokwa commented Oct 18, 2017

Now that we've had a few people thinking about this, I'm realizing that there are two issues here and maybe we should pull them apart. The two I see are:

  1. Preventing people from uninstalling the app. This seems to be an impossible thing to do reliably on most devices. Maybe Add an option in admin settings to prevent from uninstalling the app #1437 can help a bit on devices with multiple users, but the real fix is probably to document that you can't prevent people from uninstalling.

  2. Saving people who accidentally uninstall the app from wiping out all their settings. The uninstall behavior isn't malicious, but once it happens, you lose all your settings because they aren't persisted to disk. This is something we can improve, no?

@heyjamesknight
Copy link
Contributor

heyjamesknight commented Oct 19, 2017
edited
Loading

An option I haven't seen mentioned yet is BackupAgentHelper.

@yanokwa this still has some ability to be bypassed (install app then turn off internet, backup won't occur), but we could always encrypt the files on disk with a backed up private key and require the user to connect to retrieve it. That of course then risks the data on disk not being recoverable if the key somehow gets lost, but that's always the issue with security: we're always going to be trading convenience for it.

Could you describe the use case a bit more here?

@heyjamesknight
Copy link
Contributor

heyjamesknight commented Oct 19, 2017
edited
Loading

Regarding point #1, there's definitely nothing we can do from the app side to completely prevent it being uninstalled. #1437 is about as good as we're going to get, I'm afraid.

On point #2: we can definitely use BackupAgentHelper here.

@grzesiek2010
Copy link
Member

@jknightco

we could always encrypt the files on disk with a backed up private key and require the user to connect to retrieve it

what do you mean by "on disk"? external or internal storage?

@heyjamesknight
Copy link
Contributor

Yeah, either should work, as long as we can back up the key via BackupAgentHelper.

@seadowg
Copy link
Member

seadowg commented Aug 31, 2020

I'm going to close this as it really feels like a device management issue rather than something Collect should be responsible for.

Actually blocking uninstalls of apps is something that can be achieved using Android Enterprise. If that's not an option then I'd suggest collecting the "Install ID" (which is regenerated on install) for devices and then using it to detect devices that have had Collect reinstalled.

@seadowg seadowg closed this as completed Aug 31, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement needs discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@yanokwa @seadowg @heyjamesknight @grzesiek2010 @shobhitagarwal1612 @jnordling @lakshyagupta21