How to secure my app if the mobile device is stolen/lost

Question

I am making a secure application which should not run if the mobile device is stolen/lost, or the sim card is changed. If I programatically uninstall my app it prompts user whether she wants to uninstall it or not. I want this thing in a hidden way.

One more thing is to keep a file in assets/raw folder and when sim card is changed i must remove that file and my app will not run without that file. But deleting the files from both folders is not possible on run time.

All suggestions highly appreciated!

I know about password protection, cryptography, Pro-Guard, Dex-Guard, keep minimum functionality on phone. Guys I must need a way to remove the App! Please help on that point

Thankx in advance!

Answer 1

Answering some other interesting comments I was pinged about: A couple of things:

1. I am that guy who gave the lightning talk in AnDevCon Stephan Branczyk mentioned, but I'm not a heavy stackoverflow user so I do not have the privilege to reply. 50 Upvotes for this comment and I may be able to answer inline :)
2. I will however give my insights on this, so if you are "paranoid" about security and want to read more about it from the founder of a "paranoid security vendor" - you can continue reading it.
3. Otherwise goto 7.
4. It is very important to understand that there is no catch-all solution - so do not be naive about it. All Android security best practices are great - but up to some point, as your Operating System (ROM, MOD,...) can, and will be compromised. I do not want anyone to panic - but there is NO perfect solution.
5. Stephan is right about Nubo's security design concept - if you violate the terms - your are out of the game. If you're out of network, or doing something suspicious - well - the device is not in control, no matter what. We aim towards satisfying both the user in their personal space, and the IT managers in the remote Android space. It is very important for me to say clarify it is NOT a remote desktop. It's not even close to it - we have developed a Display protocol for Android from scratch - intended for the mobile environment. This is nothing like Remote Desktop/X11/VNC/... for "PC".
6. Should you need a "perfect" solution, you need to have a "trusted" device, which involves hard-core hardware support + secure bootloader + block verification chains etc. You can learn from the ChromeOS project if you are interested but I assume you are not willing to take it that far.
7. Answering the original answer: It depends on what phone. If you want to use the PackageManager - you need your app to have a System certificate, which means that unless you bundle it with your own device, or do other tricky stuff I will not get into in this post - you can't. What you can do is to use the BIND_DEVICE_ADMIN permission in your manifest, and essentially register your app as an administrator (Something like MDM, etc.). Then, with some more trickery stuff you can handle your problem on the nominal case. You could bundle another app with that capability, and just invoke it from your app if you want to be on the very safe side.

*This post is already way too long and referring to too many questions so if you have further questions please go ahead and ask. I will try to reply before 2014...

Answer 2

One more secure solution is to run your app on some Android x86 servers and to pipe in only the user interface to the phone.

Disclaimer: I've never used those guys, so I don't know how good they are. I just saw their lightning talk presentation at the most recent AnDevCon in San Francisco, and I just thought it was a clever idea.

One added advantage that this solution provides is that your employee's personal content doesn't get mixed in with the content of your company's. In hindsight, it's an old solution that has worked quite well for PCs and remote workers.

Answer 3

I'm not sure if this is exactly what you are asking for, but it may address your concerns. In general, the big concern with a stolen phone would be data. If you are concerned about someone else running your application, it seems that authentication should address that. A secondary concern is that someone could de-compile your code to learn details that could lead to exploitation. So here are 2 suggestions that address these concerns.

1. Use Progaurd to obfuscate your code. That way if the device is rooted and the APK is obtained, it cannot be de-complied (at least not into easily understandable code). Reference.
2. If you store any data in a database on the device, be sure to encrypt it. SQLCipher is a free library that will allow you to do so. Reference.

Answer 4

step 1 : write a process to run in background

step 2 : make the process be active when cell starts

step 3 : check for internet connection or balance

step 4 : if internet available mail yourself phone specific details like IMEI ,MAC ,IP whatever you think is important ,

step 5 : locating GPS location would be very helpful

step 7 : recieve these mails from the mail id registered in your app