Since Android 2.2 (API level 8), the Android platform offers system-level device management capabilities through the Device Administration APIs.
the application can be configured such that it ensures a screen-lock password of sufficient strength is set up before displaying restricted content to the user. http://blog.csdn.net/sergeycao
Define and Declare Your Policy
First, you need to define the kinds of policy to support at the functional level. Policies may cover screen-lock password strength, expiration timeout, encryption, etc.
You must declare the selected policy set, which will be enforced by the application, in the
res/xml/device_admin.xml
file. The Android manifest should also reference the declared policy set.
Each declared policy corresponds to some number of related device policy methods in
DevicePolicyManager
(defining minimum password length and minimum number of uppercase characters are two examples). If an application attempts to invoke methods whose corresponding policy is not declared in the XML, this will result
in a SecurityException
at runtime. Other permissions, such as
force-lock
, are available if the application intends to manage other kinds of policy. As you'll see later, as part of the device administrator activation process, the list of declared policies will be presented to the user on a system screen.
The following snippet declares the limit password policy in res/xml/device_admin.xml
:
<device-admin xmlns:android="http://schemas.android.com/apk/res/android">
<uses-policies>
<limit-password />
</uses-policies>
</device-admin>
Policy declaration XML referenced in Android manifest:
<receiver android:name=".Policy$PolicyAdmin"
android:permission="android.permission.BIND_DEVICE_ADMIN">
<meta-data android:name="android.app.device_admin"
android:resource="@xml/device_admin" />
<intent-filter>
<action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
</intent-filter>
</receiver>
Create a Device Administration Receiver
Create a Device Administration broadcast receiver, which gets notified of events related to the policies you’ve declared to support. An application can selectively override callback methods.
In the sample application, Device Admin, when the device administrator is deactivated by the user, the configured policy is erased from the shared preference. You should consider implementing business logic that is relevant to your use case. For example,
the application might take some actions to mitigate security risk by implementing some combination of deleting sensitive data on the device, disabling remote synchronization, alerting an administrator, etc.
For the broadcast receiver to work, be sure to register it in the Android manifest as illustrated in the above snippet.
public static class PolicyAdmin extends DeviceAdminReceiver {
@Override
public void onDisabled(Context context, Intent intent) {
// Called when the app is about to be deactivated as a device administrator.
// Deletes previously stored password policy.
super.onDisabled(context, intent);
SharedPreferences prefs = context.getSharedPreferences(APP_PREF, Activity.MODE_PRIVATE);
prefs.edit().clear().commit();
}
}
Activate the Device Administrator
Before enforcing any policies, the user needs to manually activate the application as a device administrator. The snippet below illustrates how to trigger the settings activity in which the user can activate your application. It is good practice to include
the explanatory text to highlight to users why the application is requesting to be a device administrator, by specifying the
EXTRA_ADD_EXPLANATION
extra in the intent.
if (!mPolicy.isAdminActive()) {
Intent activateDeviceAdminIntent =
new Intent(DevicePolicyManager.ACTION_ADD_DEVICE_ADMIN);
activateDeviceAdminIntent.putExtra(
DevicePolicyManager.EXTRA_DEVICE_ADMIN,
mPolicy.getPolicyAdmin());
// It is good practice to include the optional explanation text to
// explain to user why the application is requesting to be a device
// administrator. The system will display this message on the activation
// screen.
activateDeviceAdminIntent.putExtra(
DevicePolicyManager.EXTRA_ADD_EXPLANATION,
getResources().getString(R.string.device_admin_activation_message));
startActivityForResult(activateDeviceAdminIntent,
REQ_ACTIVATE_DEVICE_ADMIN);
}
If the user chooses "Activate," the application becomes a device administrator and can begin configuring and enforcing the policy.
The application also needs to be prepared to handle set back situations where the user abandons the activation process by hitting the Cancel button, the Back key, or the Home key. Therefore,
onResume()
in the Policy Set Up Activity needs to have logic to reevaluate the condition and present the Device Administrator Activation option to the user if needed.
Implement the Device Policy Controller
After the device administrator is activated successfully, the application then configures Device Policy Manager with the requested policy. Keep in mind that new policies are being added to Android with each release. It is appropriate to perform version checks
in your application if using new policies while supporting older versions of the platform. For example, the Password Minimum Upper Case policy is only available with API level 11 (Honeycomb) and above. The following code demonstrates how you can check the
version at runtime.
DevicePolicyManager mDPM = (DevicePolicyManager)
context.getSystemService(Context.DEVICE_POLICY_SERVICE);
ComponentName mPolicyAdmin = new ComponentName(context, PolicyAdmin.class);
...
mDPM.setPasswordQuality(mPolicyAdmin, PASSWORD_QUALITY_VALUES[mPasswordQuality]);
mDPM.setPasswordMinimumLength(mPolicyAdmin, mPasswordLength);
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.HONEYCOMB) {
mDPM.setPasswordMinimumUpperCase(mPolicyAdmin, mPasswordMinUpperCase);
}
At this point, the application is able to enforce the policy. While the application has no access to the actual screen-lock password used, through the Device Policy Manager API it can determine whether the existing password satisfies the required policy.
If it turns out that the existing screen-lock password is not sufficient, the device administration API does not automatically take corrective action. It is the application’s responsibility to explicitly launch the system password-change screen in the Settings
app. For example:
if (!mDPM.isActivePasswordSufficient()) {
...
// Triggers password change screen in Settings.
Intent intent =
new Intent(DevicePolicyManager.ACTION_SET_NEW_PASSWORD);
startActivity(intent);
}
Normally, the user can select from one of the available lock mechanisms, such as None, Pattern, PIN (numeric), or Password (alphanumeric). When a password policy is configured, those password types that are weaker than those defined in the policy are disabled.
For example, if the “Numeric” password quality is configured, the user can select either PIN (numeric) or Password (alphanumeric) password only.
Once the device is properly secured by setting up a proper screen-lock password, the application allows access to the secured content.
if (!mDPM.isAdminActive(..)) {
// Activates device administrator.
...
} else if (!mDPM.isActivePasswordSufficient()) {
// Launches password set-up screen in Settings.
...
} else {
// Grants access to secure content.
...
startActivity(new Intent(context, SecureActivity.class));
}
分享到:
相关推荐
The Definitive Guide to ...An indispensable working resource for every Linux administrator concerned with security, this guide presents comprehensive coverage of both iptables and nftables. ......
信息安全_数据安全_Frameworks Enhancing Security wi 安全芯片 安全验证 可信计算 网络犯罪 内外威胁
信息安全_数据安全_Enhancing Aviation Cybersecurity 应急响应 安全应急 漏洞挖掘 数字风险 安全管理
Well-known expert Robert Wysocki has added more than 100 pages of new content based on instructor feedback, enhancing the coverage of best-of-breed methods and tools for ensuring project management ...
Enhancing Adobe Acrobat DC Forms with JavaScript.pdf Enhancing Adobe Acrobat DC Forms with JavaScript.pdf Enhancing Adobe Acrobat DC Forms with JavaScript.pdf
「信息安全」Frameworks_Enhancing_Security_within_ICS/SCADA_Design - 数据安全 安全资讯 漏洞分析 安全培训 应用安全 WEB应用防火墙
Moodle, for managing courses and enhancing student learning. As useful as LMSs are, they are short on features that meet certain needs specific to computer science education. On the other hand, ...
Best practices for managing projects in agile environments—now updated with new techniques for larger projects Today, the pace of project management moves faster. Project management needs to ...
文章代码
Enhancing the Security Model Further Identification and Authentication (I&A) Access Control Auditing Classifying Security Products with a Nod to Intrusion Detection Identification and ...
Title: Responsive Mobile Design: Designing for Every Device Author: Phil Dutson Length: 256 pages Edition: 1 Language: English Publisher: Addison-Wesley Professional Publication Date: 2014-09-28 ISBN-...
Enhancing Adobe Acrobat DC Forms with JavaScript covers up-to-date, real working examples that you can easily download, practice with, and edit to suit your own projects. Using screenshots from Adobe ...
The book also provides an opportunity for researchers to explore the use of advanced computing technologies and their impact on enhancing our capabilities to conduct more sophisticated studies." ...
Credit Risk Management Enhancing Your Bottom Line.ppt
Enhancing the Discriminative Feature Learning for Visible-Thermal Cross-Modality Person 中文翻译 Re-Identification
Whether you need to play only a few audio files or you intend to design a complex audio simulation, this book will help you get started enhancing your game with audio programs. Getting Started with ...
Enhancing Spontaneous Speech Recognition with BLSTM Feature.pdf