Have any of you app developers faced this situation: You have an app that needs to download data from the Internet, but don't want to add the Internet permission to your application, because it may deter some users from installing the app. Moreover, the data may be large and may need to be saved to the SD card, which requires yet another permission. You also need to ensure that a network is available currently, which means more permissions (WiFi state, etc).
Here's my proposed solution: A URL fetch service
This will be a simple app which accepts URL fetch requests from other applications and fetches them (HTTP GET) from the internet as a background service. Upon completion, the data can be returned to the application as a byte stream.
Since this is based on a callback, the network need not be currently available. The service will (optionally) queue the request and fetch whenever a network is available.
Another useful feature would be avoiding duplicate requests. For example, an app may want to fetch some data periodically, say every two hours. But if the network is not available for two days, then only one request should be made when the network becomes available, not 50! This could be done by letting the app assign a unique id to the request. Requests that have the same id will over-write other requests from the same app with the same id.
Logging and Filtering
From the user point of view, there is tremendous advantage in having a centralized URL Fetcher, because she will be able to Log the requests that go through it, and also filter some requests. For example, she could filter an app that she doesn't want to be updated (for whatever reason).
Distribution:
The app will be open-source and made available on all App markets and also as a direct APK download.
The only hurdle to this idea that I can see is that the app will have to be installed separately by the user. The problem will be reduced over time as more and more apps use this service. So the chances of the app being already present will increase. Also, custom ROMs might pre-package this app, so it will be present by default.
__________________________________
Your thoughts?
Update:
I have begun coding this up. You can follow / contribute here:
https://github.com/hrj/SafeNet/
Questions or Problems Should Not Be Posted in the Development Forum
Please Post in the Correct Forums
Moving to Q&A
For an app like that, you are not going to be able to not allow the internet permission. It needs it to fetch the URL (from the internet) so it has to use it... Unless you have a huge database of all URL's stored on your sd card .
Theonew said:
For an app like that, you are not going to be able to not allow the internet permission. It needs it to fetch the URL (from the internet) so it has to use it
Click to expand...
Click to collapse
Yes indeed. The fetch service app will have the Internet permission, and the read/write to SD card permission. The idea is to reduce the number of entities that the user has to trust.
And since the service app will be open-source, the user can compile her own version and install it. In that case, she doesn't even have to trust anyone else.
I have put up a tentative project and have some working code already in my local repository. If you would like to follow the progress or would like to contribute, here's the GitHub link:
https://github.com/hrj/SafeNet/
cheers!
h_r_j said:
the user can compile her own version and install it. In that case, she doesn't even have to trust anyone else.
Click to expand...
Click to collapse
Great. One thing... all the users of your app aren't only female...
Theonew said:
Great. One thing... all the users of your app aren't only female...
Click to expand...
Click to collapse
I guess you are right.. I didn't check thoroughly
But seriously, he / she / it doesn't really matter. I don't like typing "he or she" in every sentence. So, I just pick between those words randomly.
h_r_j said:
I guess you are right.. I didn't check thoroughly
But seriously, he / she / it doesn't really matter. I don't like typing "he or she" in every sentence. So, I just pick between those words randomly.
Click to expand...
Click to collapse
Just put "they" .
Hi nice to meet you, i am crystalboy87 and this is my first post. I'm very happy to join in this fantastic forum.
Lets start with same question
I have started many month ago to programming android apps (at the moment none of my creation are in the market).
Parallel to this i have start a week ago to learn how to reverse engineer apk and crack it because i want to make an harder protection to my application.
For game and learn i have try with this app that is free:
Efficiency (free) - Nubbu Apps (i can't give a link because i am a new user )
This app have a stupid protection for check if it is the free app or not i an boolean value called Free_App that at the start was initialized to True in the main activity.
I have managed this application with Apktool and get the smali code, after that i have saved it and use xdaAutoTool 4.03 for repack it.
When i try to install the application on my phone (Samsung Galaxy S3) i have this message: Application not istalled (with a cross near this label).
My question is why? When i use the function Recompile-Rebuild all in xdaAutoTool i have all ok.
[*] Processing Efficiency_(Free)_1.6 folder...
-----------------------------------------------------
Recompiling Efficiency_(Free)_1.6.apk...
I: Smaling...
I: Building resources...
I: Building apk file...
DONE!
-----------------------------------------------------
[*] Efficiency_(Free)_1.6.apk
-----------------------------------------------------
Can someone explain to me where i am wrong please?
Thank you
What you describe is an unethical form of reverse engineering called cracking.
There are many better ways to learn reverse engineering.
zgx said:
What you describe is an unethical form of reverse engineering called cracking.
There are many better ways to learn reverse engineering.
Click to expand...
Click to collapse
I disagree with you because if i really want to crack an application, do you think that i will try with a free app?
I am against to piracy, i want to learn only for protect much better my application, and the only way for learn is to try.
The strange thing is also if I don't edit the original code but i only decompile and rebuild this app without touch it's code it doesn't work and give me the error: Application not installed when i try to install in my phone.
Why? There is a type of protection or xdaAutoTool don't work correctly with this app?
Anyone can check and explain to me plese? :fingers-crossed:
Thanks to all
Did you sign the app?
Alot of developers are making their apps non decompilable now. So it just maybe the app. Just a heads up. People will always find a way to crack the app if they want it bad enough
Batcom2
XperienceD said:
Did you sign the app?
Click to expand...
Click to collapse
xdaAutoTool don't sign it in automatic mode when i use Recompile-BuildAll button?
zelendel said:
Alot of developers are making their apps non decompilable now. So it just maybe the app. Just a heads up. People will always find a way to crack the app if they want it bad enough
Batcom2
Click to expand...
Click to collapse
In which mode i can do the same thing? If i want to do an app non decompilable? There are special setting to set in eclipse? If you have more information can you link me something? i will very happy to study and implement this.
crystalboy87 said:
In which mode i can do the same thing? If i want to do an app non decompilable? There are special setting to set in eclipse? If you have more information can you link me something? i will very happy to study and implement this.
Click to expand...
Click to collapse
I am not sure how they do it but this will not prevent it as most cracked apps are done by hex edits and not by decompiling it.
zelendel said:
I am not sure how they do it but this will not prevent it as most cracked apps are done by hex edits and not by decompiling it.
Click to expand...
Click to collapse
Yes i know but it is more difficult such as decompiling the apk and get the source code.
I have another question, in a smali file i have more markers ".line xx" where xx is an integer number that identify the current line of code.
i have try to add custom code in my decompiled application for see if it works but when i rebuild it the app doesn't run on the phone.
There is an explanation? The .line markers are necessary?
crystalboy87 said:
Hi nice to meet you, i am crystalboy87 and this is my first post. I'm very happy to join in this fantastic forum.
Lets start with same question
I have started many month ago to programming android apps (at the moment none of my creation are in the market).
Parallel to this i have start a week ago to learn how to reverse engineer apk and crack it because i want to make an harder protection to my application.
For game and learn i have try with this app that is free:
Efficiency (free) - Nubbu Apps (i can't give a link because i am a new user )
This app have a stupid protection for check if it is the free app or not i an boolean value called Free_App that at the start was initialized to True in the main activity.
I have managed this application with Apktool and get the smali code, after that i have saved it and use xdaAutoTool 4.03 for repack it.
When i try to install the application on my phone (Samsung Galaxy S3) i have this message: Application not istalled (with a cross near this label).
My question is why? When i use the function Recompile-Rebuild all in xdaAutoTool i have all ok.
[*] Processing Efficiency_(Free)_1.6 folder...
-----------------------------------------------------
Recompiling Efficiency_(Free)_1.6.apk...
I: Smaling...
I: Building resources...
I: Building apk file...
DONE!
-----------------------------------------------------
[*] Efficiency_(Free)_1.6.apk
-----------------------------------------------------
Can someone explain to me where i am wrong please?
Thank you
Click to expand...
Click to collapse
You can try 'Anti Decompiler(Android)Trial' on google play for protecting your project .
https://play.google.com/store/apps/details?id=com.tth.AntilDecompilerTrial
'Anti decomplier (android)' App uses a new approach for protection, it protects your android app at source code level
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
XPrivacyLua custom hook definitions
By using XPrivacyLua you can define Xposed hooks and apply them to any app at run time (so, rebooting your device is not necessary). You can write hook code on your device in Lua, which is quite easy to learn.
See the documentation about how to define hooks.
Although XPrivacyLua has 'privacy' in its name, new hooks don't need to be privacy related at all. Disabling the built in privacy related hooks is a matter of selecting another collection of hooks.
This XDA thread is meant to discuss defining hooks, with the restriction that hook definitions must serve a legally allowed purpose. This XDA thread is not meant to make you a developer, so at least some development experience is expected, which means that you'll need to be able to figure out where to hook yourself and that you'll need to be able to write Lua scripts yourself.
XDA:DevDB Information
XPrivacyLua hook definitions, Xposed for all devices (see above for details)
Contributors
M66B
Xposed Package Name:
Version Information
Status: Beta
Created 2018-01-28
Last Updated 2018-04-01
Could there be a generic "always return true" lua script?
And when building a definition, what does it mean to be in a group and collection? Do I just put anything there or do I have to call them something particular?
Well, I'm trying but I'm lost. Just trying to setAnalyticsCollectionEnabled
https://firebase.google.com/support/guides/disable-analytics
Code:
public void setAnalyticsCollectionEnabled (boolean enabled) = false
supposedly disables Firebase Analytics (which apparently 67% of the top 200 apps use).
My definition looks like
Collection: privacy
Group: firebase
Name: firebase.analytics
author: whatever
class: com.google.firebase.analytics
method:setAnalyticsCollectionEnabled
parameter type: void
return type: boolean
min/max sdk: 1/999
lua script: @generic_false_value I suppose I can use this?
Even if this looks valid, it feels like maybe this wouldn't fire unless certain other things happen first? Looking at your hooks.json for google analytics it looks like you had to maybe set a chain of events to occur to get to the point of controlling the method you intend to make changes?
jawz101 said:
Could there be a generic "always return true" lua script?
And when building a definition, what does it mean to be in a group and collection? Do I just put anything there or do I have to call them something particular?
Well, I'm trying but I'm lost. Just trying to setAnalyticsCollectionEnabled
https://firebase.google.com/support/guides/disable-analytics
Code:
public void setAnalyticsCollectionEnabled (boolean enabled) = false
supposedly disables Firebase Analytics (which apparently 67% of the top 200 apps use).
My definition looks like
Collection: privacy
Group: firebase
Name: firebase.analytics
author: whatever
class: com.google.firebase.analytics
method:setAnalyticsCollectionEnabled
parameter type: void
return type: boolean
min/max sdk: 1/999
lua script: @generic_false_value I suppose I can use this?
Even if this looks valid, it feels like maybe this wouldn't fire unless certain other things happen first? Looking at your hooks.json for google analytics it looks like you had to maybe set a chain of events to occur to get to the point of controlling the method you intend to make changes?
Click to expand...
Click to collapse
The built-in scripts are not meant for general use because they might change over time breaking stuff that depends on them. Therefore imported definitions are not linked against the built-in scripts. If needed, you can simply copy and paste the Lua script from another (built in) definition. Copying guarantees your definition will keep working, even when the built-in scripts are changed or even removed.
Calling setAnalyticsCollectionEnabled requires access to an instance of FirebaseAnalytics, which apps needs to get by calling getInstance. So, hook getInstance to call setAnalyticsCollectionEnabled(false) and hook setAnalyticsCollectionEnabled to prevent an app from turning analytics on again.
Restricting Google Analytics (available in the next release of XPrivacyLua) works similar:
https://github.com/M66B/XPrivacyLua/blob/master/app/src/main/assets/ga_getinstance.lua
https://github.com/M66B/XPrivacyLua/blob/master/app/src/main/assets/ga_setdryrun.lua
You can also wait until I have added this ...
But firebase isn't necessarily the same thing, right?
jawz101 said:
But firebase isn't necessarily the same thing, right?
Click to expand...
Click to collapse
No, Google Analytics and Firebase Analytics are not the same and need different definitions.
Restricting Firebase Analytics works properly with these hook definitions:
https://github.com/M66B/XPrivacyLua/commit/1708fc6e4a15cef85cb973f5c08286d90d3ca806
jawz101 said:
And when building a definition, what does it mean to be in a group and collection? Do I just put anything there or do I have to call them something particular?
Click to expand...
Click to collapse
With the latest version of XPrivacyLua / companion app you can change the collection of hooks to use in XPrivacyLua. The default is to use the collection 'Privacy'. You can define your own collection by definition hooks with a new collection name. There can only be one collection active at one time, so if you want to add your own definitions to the built-in privacy collection you'll have to use the collection 'Privacy'. Basically collections exists to allow using XPrivacyLua for things other than privacy.
Groups are listed in the XPrivacyLua app and make it easy to apply a group of hooks to one or more apps. XPrivacyLua cannot and will not handle applying individual hooks to keep things simple, but I might add this to the pro companion app in the near feature. For now you can rename a group of an existing hook definition to be able to apply it separately in XPrivacyLua.
Edit: this has been clarified in the documentation too now: https://github.com/M66B/XPrivacyLua/blob/master/DEFINE.md
I still have some questions on when,where,how etc.... but I will wait until I can dedicate more time to playing with this.
I do have a feature request.
could there be a sort of drop down box that queries all valid entries for each item when creating a custom definition.
for example...
when creating a custom definition, when taping on the line for group, you would just type a new group (as it is now) but if there was a drop down arrow at the end of the line that could give a list of currently used groups and then the user could just click the listed group instead of typing and it would auto-fill that field.
maybe even more useful would be for the other items like Name,Class, Method etc...
where it could show possible entries. That would help a lot.
... I turned on notifications for your new Firebase rules. I would think a bunch of apps I have use Firebase Analytics. @M66B Have you seen any apps trigger it yet?
Even if the app imported Firebase Analytics library and gathers Firebase Analytics but never uses the setAnalyticsCollectionEnabled() method in its own code would it mean this hook will never trigger?
With the latest version of XPrivacyLua / companion app you can change the collection of hooks to use in XPrivacyLua. The default is to use the collection 'Privacy'. You can define your own collection by definition hooks with a new collection name. There can only be one collection active at one time, so if you want to add your own definitions to the built-in privacy collection you'll have to use the collection 'Privacy'. Basically collections exists to allow using XPrivacyLua for things other than privacy.
Click to expand...
Click to collapse
Thanks:highfive:.
This is just a suggestion but if this was my app I would break these 2 elements out to separate screens from the definition builder. You would define collections and groups in a separate spot, and then when building rules the collections and groups would pull in as a selectable dropdown. Avoids typos and helps to explain how there can be only one active collection for XPrivacyLua.
mnjm9b said:
I still have some questions on when,where,how etc.... but I will wait until I can dedicate more time to playing with this.
I do have a feature request.
could there be a sort of drop down box that queries all valid entries for each item when creating a custom definition.
for example...
when creating a custom definition, when taping on the line for group, you would just type a new group (as it is now) but if there was a drop down arrow at the end of the line that could give a list of currently used groups and then the user could just click the listed group instead of typing and it would auto-fill that field.
maybe even more useful would be for the other items like Name,Class, Method etc...
where it could show possible entries. That would help a lot.
Click to expand...
Click to collapse
I will see what I can do for collection and group, but all the other fields are flexible and depend on the hook.
jawz101 said:
... I turned on notifications for your new Firebase rules. I would think a bunch of apps I have use Firebase Analytics. @M66B Have you seen any apps trigger it yet?
Even if the app imported Firebase Analytics library and gathers Firebase Analytics but never uses the setAnalyticsCollectionEnabled() method in its own code would it mean this hook will never trigger?
Click to expand...
Click to collapse
An app will normally not disable/enable analytics given the default is enabled and the user has mostly no choice in this. So see this hook as a safeguard to prevent an app enabling analytics again after we disabled it in another hook
M66B said:
An app will normally not disable/enable analytics given the default is enabled and the user has mostly no choice in this. So see this hook as a safeguard to prevent an app enabling analytics again after we disabled it in another hook
Click to expand...
Click to collapse
Would there be a way to introduce the app to calling it? Or maybe that's what you're implying. Also, have you noticed that system and google apps seem to gray out the read identifiers permission? Ex: set read identifiers as restricted on Android Webview or Google Photos/Maps/Google TTS. Turns pink Get out of XPrivacyLua and open it again. Read Identifiers is gray. (I'm on LineageOS if that matters)
jawz101 said:
Would there be a way to introduce the app to calling it? Or maybe that's what you're implying. Also, have you noticed that system and google apps seem to gray out the read identifiers permission? Ex: set read identifiers as restricted on Android Webview or Google Photos/Maps/Google TTS. Turns pink Get out of XPrivacyLua and open it again. Read Identifiers is gray. (I'm on LineageOS if that matters)
Click to expand...
Click to collapse
Normally an apps doesn't call the function. Maybe if the user can choose to opt in or opt out, but this is rarely the case.
The other thing should go into the XPrivacyLua XDA thread, but I will look into it anyway.
M66B said:
I will see what I can do for collection and group, but all the other fields are flexible and depend on the hook.
Click to expand...
Click to collapse
Thanks, That's a good start.
Maybe if the "PRO" app takes off enough for you to bother you could charge extra for the expanded feature of having the drop lists change depending on the choices made?
I did have a moment to look over a definition I was playing with for "TIME"
it serves no real purpose so I gave up early but if I could get a better understanding on why it doesn't work it could help with actual ones.
using the FINGERPRINT example I made several other entries that all worked fine but this one caused issue.
I assumed it was because according to https://developer.android.com/reference/android/os/Build.html the type for TIME wasn't "String" but "Long"
this is the last one I tried...
Code:
{
"collection": "Privacy",
"group": "Read.Device",
"name": "Build.TIME",
"author": "M66B",
"className": "android.os.Build",
"methodName": "#TIME",
"parameterTypes": [],
"returnType": "long",
"minSdk": 1,
"maxSdk": 999,
"enabled": true,
"optional": false,
"usage": true,
"notify": false,
"luaScript": "function after(hook, param)\n param:setResult("unknown")\n return true\nend\n"
}
I was also playing with "SUPPORTED_ABIS" which also didn't work and the type was "Sting []" instead of just "String" so I was thinking that was the problem also.
@mnjm9b You are returning a string (series of characters) as a long (number). Try returning just a number (without the quotes).
String[] is an array (mulitple strings), so you need to return an array as well. But I don't know how to do that in Lua right now
Namnodorel said:
@mnjm9b You are returning a string (series of characters) as a long (number). Try returning just a number (without the quotes).
String[] is an array (mulitple strings), so you need to return an array as well. But I don't know how to do that in Lua right now
Click to expand...
Click to collapse
You are 100% right.
Returning a string array is not trivial. Look at 'generic_empty_string_array.lua' about how to do this.
Namnodorel said:
@mnjm9b You are returning a string (series of characters) as a long (number). Try returning just a number (without the quotes).
String[] is an array (mulitple strings), so you need to return an array as well. But I don't know how to do that in Lua right now
Click to expand...
Click to collapse
so in my example the returnType instead of "long" should be a number like 0 without quotes?
I tried that and it still doesn't work.
---------- Post added at 08:55 PM ---------- Previous post was at 08:54 PM ----------
M66B said:
You are 100% right.
Returning a string array is not trivial. Look at 'generic_empty_string_array.lua' about how to do this.
Click to expand...
Click to collapse
thanks for this, I guess I am in WAY over my head.
mnjm9b said:
so in my example the returnType instead of "long" should be a number like 0 without quotes?
I tried that and it still doesn't work.
Click to expand...
Click to collapse
No. the return type was correct. That specifies what type of object you are expected to return. What you need to change is what you then actually return, which is
Code:
param:setResult("unknown")
to
Code:
param:setResult(12345678)
@M66B
Thank you for your work, if i understand right, you provide us an programmable interface that will execute command lines written in Lua language without having to create a complete module in JAVA for XPosed?
From what i understood in your initial post, you indicate that we must install your module "XPrivacyLua", then that one disposes there after of the possibility to apply for the applications which one wishes, lines of codes written in Lua language and which do not necessarily have to relate to the logic of rights of access concerning privacy?
If yes then we must necessarily install XPrivacyLua even if in view of all your work provided on it the basic functions do not interest me forcibly?
All this seems to be promising however :good:
Rom said:
@M66B
Thank you for your work, if i understand right, you provide us an programmable interface that will execute command lines written in Lua language without having to create a complete module in JAVA for XPosed?
Click to expand...
Click to collapse
Yes.
Rom said:
From what i understood in your initial post, you indicate that we must install your module "XPrivacyLua", then that one disposes there after of the possibility to apply for the applications which one wishes, lines of codes written in Lua language and which do not necessarily have to relate to the logic of rights of access concerning privacy?
Click to expand...
Click to collapse
Yes.
Rom said:
If yes then we must necessarily install XPrivacyLua even if in view of all your work provided on it the basic functions do not interest me forcibly?
All this seems to be promising however :good:
Click to expand...
Click to collapse
You'll need XPrivacyLua to install and run defined Xposed hooks written in Lua, but you don't need to use the built in privacy related hooks.
The companion app allows you to switch to another collection of hooks you've written, in effect disabling the built-in privacy related hooks.
Try it and I will help you when needed and in the process I will update the documentation where needed.
If anyone wants to have direct and easy access to real time HR data of Mi Band, for example to create a custom notification, exporting it to a PC or any other reason, here's an easy way.
- install Notify & Fitness app
- in Tasker, create new profile, event, system, intent received, action "com.mc.miband.heartRateGot"
- add a task with whatever action you want. The last measured HR is stored in variable "%value"
Whenever band measures a HR, this intent gets activated and %value is updated. For real-time measurements start a workout.
There are more intents available, the full list can be found here http://www.mibandnotify.com/help/tasker_send_intent.php
do all the results of those intents stored in "%value" variable ? or it changes with the action ? If it changes, how can I know all the other variables ?
please help I am trying to find those variables...
madkiran said:
do all the results of those intents stored in "%value" variable ? or it changes with the action ? If it changes, how can I know all the other variables ?
please help I am trying to find those variables...
Click to expand...
Click to collapse
Per the documentation (link in the first post), the result of intent is always stored in "%value" variable.
_mysiak_ said:
Per the documentation (link in the first post), the result of intent is always stored in "%value" variable.
Click to expand...
Click to collapse
yeah. value is working for all intents.. but I couldn't find that in the documentation'