4

A popular car insurance company in the US has an app that displays "digital car insurance" papers. In the commercials, these apps are opened, and the user gives the unlocked phone to police officers. It's not unreasonable to imagine what could happen in these situations when someone has unrestricted access to a phone.

Ideally if an app similar to this was in widespread use, I would want it to prevent switching to another app (email, contacts, SMS, etc) until a password was entered.

Other scenarios where this is useful is ID Cards, modal versions of popular apps (games), a parent who wants to control what apps their kid uses, demo phones at a trade show, etc.

Question

  • Can any mobile phone (iOS, Android, or Windows) support an app taking "full screen" control and not exiting until a password is entered?

  • If such a solution is possible, is it secure? (Is the local data still encrypted?)

(I assume that Android and Blackberry 10 are the same since they can both run similar apps)

makerofthings7
  • 50,090
  • 54
  • 250
  • 536

4 Answers4

7

I know there is a great example and discussion on this for Samsung devices and Android, so you might want to start there and see if it takes you to where you want to go with everything else.

http://developer.samsung.com/android/technical-docs/Neat-tricks-when-implementing-a-kiosk-app

Removing the title bar and status bar ... you may want to ... remove the app title bar and the system status bar, which will make an app full-screen. Please note that some devices (like the Galaxy Nexus or Galaxy Tab tablets) have another bar with buttons which are represented by hardware buttons in other devices. That bar cannot be covered by any app. In order to remove those bars, use the code below before calling the setContentView method in your Activity. It will request the extended feature (to remove the title bar) and set the proper flag to the window (to cover the status bar).

requestWindowFeature(Window.FEATURE_NO_TITLE);
getWindow().addFlags(WindowManager.LayoutParams.FLAG_FULLSCREEN);

Prevent exiting the app via the back button Since the kiosk app shouldn’t be closed, you can handle pushing the back button and assign another action to it. For instance, you may want to go to the homepage when user tries to exit the app. To do so, override one of the Activity methods, which is called every time the back button is pressed. [or set this to null or refresh to keep it on the same display]

@Override
        public void onBackPressed() {
        mWebView.loadUrl(mHomepageUrl);
    }

Disable the home button In general, disabling the home button is not a good practice, but it can be very useful when developing a kiosk app. Since Android 4.0 there is no effective method to do so, so you may need to use another solution, e.g. setting your app as a home screen, which is described further. However, for older OS versions you may switch the window type to keyguard, which will prevent from handling home button pressing.

@Override
        public void onAttachedToWindow() {
        getWindow().setType(WindowManager.LayoutParams.TYPE_KEYGUARD);
        super.onAttachedToWindow();
    }

Set an app to cover the lock screen If you want your app to be visible all the time, setting it to be on top of the lock screen may be useful. This is quite simple to achieve, you only need to set few additional flags for your Activity window.

getWindow().addFlags(WindowManager.LayoutParams.FLAG_DISMISS_KEYGUARD);
getWindow().addFlags(WindowManager.LayoutParams.FLAG_SHOW_WHEN_LOCKED);

(snippets of the most useful elements of the document relating to a kiosk app)

GµårÐïåñ
  • 231
  • 1
  • 3
  • 9
  • While this link may answer the question, it's better to add more details to your answer here. For example, you could try to summarize some of the points and mention some key points. – Adi Sep 02 '13 at 09:31
  • It was a pretty detailed example, I didn't want to end up mangling it too much or end up repeating too much of it. I am not sure what the standards are about that. I tried what you suggested on the BIOLOGY.SE and I got smacked down so hard, I ended up just deleting my profile :) But I'll give it a shot. – GµårÐïåñ Sep 02 '13 at 18:23
  • @GµårÐïåñ Common practice on SE sites is to quote and summarize the content of sites you link to. See [how to answer](http://security.stackexchange.com/help/how-to-answer). – tylerl Sep 02 '13 at 19:12
  • @tylerl I know and that's what I thought too but there seems to be a HUGE discrepancy in how its enforced by the mods. – GµårÐïåñ Sep 02 '13 at 19:33
5

This solution is easily handled in iOS, if you use Apple Configurator, which allows for a device to be deployed in what they call "supervised" mode. In this mode you can set a single application for the device to use.

In this case the device will auto-load that application on boot and will not allow a user to exit through any normal means.

It's designed, I believe, for retail and education where the iPad is really only intended as an appliance which runs a single app.

Apple configurator does have some scaling issues (requires USB attachment to a Mac to configure) but it can be used in conjunction with MDM software (e.g. Airwatch) to address some of those problems.

In terms of Android, I've not seen any widely supported functionality to do a similar task, although there may be programmatic options as @gardian points out. What you could do if you have an MDM solution is lock the device down to a couple of applications only. One thing to watch for in this arena is that Android MDM can be specific to manufacturers and specific handsets. The basic Android MDM API is pretty basic, but Samsung for example have their SAFE programme which adds a load of additional lockdown options.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • If I understood correctly, he wants to be able to use the phone as usual, but if he opens "app a" then there should be no way of getting out of it without the password. What you describe for iOS seems to be far harder/slower to activate/deactivate. – Flo Sep 03 '13 at 06:16
1

On iOS you can achieve it using Guided Access:

Settings -> General -> Accessibility -> Guided Access -> On,

Launch the app you want iPhone/iPad to be locked in, triple click Home button and follow instructions on screen.

Mindaugas
  • 111
  • 1
0

Although using Guided Access and Apple Configurator are both valid solutions, removing the status bar is simple on iOS. Use this method call in your app's initialization to hide it.

Objective-C:

[[UIApplication sharedApplication] setStatusBarHidden:YES
                                   withAnimation:UIStatusBarAnimationSlide];

Swift:

UIApplication.sharedApplication().setStatusBarHidden(true, withAnimation: UIStatusBarAnimation.None)
DDPWNAGE
  • 195
  • 7