9
Planned

Implement Android Enterprise API (Device Owner)

There's a huge, Huge, HUGE untapped resource out there: Device Owner (NOT Device Admin). You can do all sorts of wild things that most experienced Android powerusers had no idea even exists and tend to try to root their device (unnecessarily) to accomplish. SecureTask accomplishes this goal, but with the developer having suddenly abandoned all of his apps and began ignoring emails about acquisition of the source code (they're all free apps), we need a long-term replacement.

SecureTask is also very vulnerable to external apps because it performs no password verification when it receives the plugin fire intents, even if you enter a password in its configuration. Besides, it would be much more secure to have Tasker holding the Device Owner permission than a plugin, the only problem being that you CANNOT have ANY accounts setup on the device when provisioning Device Owner to Tasker, so Tasker's licensing checks would fail. But sometimes it can get even more complicated than that.

Here are some features of Device Owners (this is a very abbreviated list — taken from SecureTask's Play Store page):

1) Dump logs (Android 6+)

2) Block camera access

3) Wipe data

4) Read/Write secure settings (Android 6+)

5) Use fingerprint sensor (Android 6+)

6) Clear/Set pin/password

7) Read lock info

8) Wake screen

9) Read data usage stats (Android 6+)

10) Freeze apps (Android 7+ and device owner needed)

11) Kill apps (Android 7+ and device owner needed)

12) Block uninstall apps (Android 5+ and device owner needed)

13) Hide apps (Android 5+ and device owner needed)

14) Reboot (Android 7+ and device owner needed)

15) Change lock screen info (Android 7+ and device owner needed)

16) Remove and set Keyguard (Android 6+ and device owner needed)

17) Install/Uninstall apps silently (Android 6+ and device owner needed)

18) Change system language (Android 5+)

19) Enable/disable status bar (Android 6+ and device owner needed)

20) Enable/disable android backup (Android 8+ and device owner needed)

21) Send USSD phone requests (Android 8+)

22) Change apps permissions policy (Android 6+ and device owner needed)

23) Change system update policy (Android 8+ and device owner needed)

24) Change NFC status (Android 6+)

25) APN settings (Android 9+ and device owner needed)

26) Clear data and cache apps (Android 9+ and device owner needed)

27) Block mobile access for each app (Android 9+ and device owner needed)

28) Set time and timezone (Android 9+ and device owner needed)

29) Mute device (Android 5+ and device owner needed)

30) Change permissions other apps (Android 6+ and device owner needed)

31) Change private DNS settings (Android 10+ and device owner needed)

32) Get phone identifiers (Android 6+ and device owner needed)

33) Airplane mode action (Android 6+)

There are sooooo many more features available than just that though! Plus some new ones have been added to Android API since he initially wrote SecureTask.

These are Android-level APIs, NOT Play Store APIs, so they're not subject to Google's frequently changing opinions on things.

(Caveat to all of this: Device Owner breaks many vendor-specific features. In the case of Samsung, it cripples Knox, preventing Secure Folder, Cloud sync (although I found a workaround), and other features from being available at all.)

Follow

3 replies

Votes Newest Oldest
AK

Is this feature now active?

I would like to make Tasker the Device owner to freeze apps (I know this can be done with ADB over wifi), but this seems a much better solution.

If not active, are there any plans?

Thanks.

Comment

I plan to add this, yes, sorry for the delay.

D

I would like this too. Thanks for looking into it. Cheers.

NB

You don't need to wait for João to implement this in Tasker. SecureTask already does this and it works.

Only caveat now with SecureTask (with a recent update) is that ***TASKER BACKUPS WHICH INCLUDE SECURETASK ACTIONS WILL NOT WORK*** (on the device it's restored to) until you go into the plug in configuration screen on every single one of those actions and save it. This is for security purposes.

Unfortunately, there's no way to tell if a SecureTask action has been refreshed either. I get where the dev was going on this, but basically: Good Idea, Bad Implementation.

Tasker does need a better, more secure way, of interfacing with third-party plug-ins though.

B

I have been using phones for years,  but I haven't had to know about settings, permissions or other important issues. So I am not as educated on alot of features that can be used for many issues. Please help me with terms and technology

Comment

I actually planned for it a while back, but then never really made it public. :)

The issue you mention with the account shouldn't be a problem because after installing Tasker as the device owner you can then simply sign in normally and it should work with the license, unless I'm missing something... Right?

Comment
NB

Apologies, I didn't mean "licensing," but just that in order to install Tasker* you have to have access to the Play Store, which requires a Google account. To provision Device Owner you can't have any accounts added to the device, so the order of operations would be (assuming device hasn't been setup):

1) Configure Google account;

2.) Install Tasker from Play Store;

3.) Remove Google account;

4.) Issue dpm command to provision Tasker as Device Owner;

5.) Re-add Google account (optional -- if so desired -- but likely).

Normally this really just means that it's an inconvenience, but there are apparently some devices and/or setups where this process is going to create the problem described at the bottom of that Baldapps page. It suggests that some users can't provision Device Owner to an app (the dpm command) after device setup + Google account (addition + removal).

This is likely because, once you don't provision a Device Owner application manually, and then add a Google account, the system grants Google (regardless of if it's a Samsung phone or otherwise) the permission, allowing the system to perform Google-sponsored, "Android Backups." And on those broken systems, removing the Google account doesn't seem to revoke the Device Owner provisioning, causing the dpm command to fail until the factory reset method is attempted.

I have had this issue myself on my S10 on the factory version of Android that came with it (9 I believe?), so I can honestly say it's not from user-error. That being said, I don't think that scenario happens much on newer phones. I believe it was a defect in an older version of Android and/or certain phones. But it's something to be aware of.

* Obviously doesn't apply to the Direct Purchase License version of Tasker. It also doesn't really apply, either, if the user installs the trial version of Tasker and later re-adds a Google Account. (I think?)

I think the better way to do it would probably be to sideload the Google Play version of the Tasker APK before adding any account and only then would you add the account. Right?

NB

Yes. That was the last half of my asterisk (*) fine print from my last comment. Since it has both a 7-day grace period and will attempt to license the app once the Google account is added, you should be good.

Another thing to consider to make things a LOT easier on the users is to setup a QR code with details of the hosted APK file on tasker.joaoapps.com and Device Owner receiver/class so that users can go through the Android setup normally without having to skip everything to be able to even start to sideload the APK. More info here: Android Enterprise QR Code Generator | Technical Documentation (datalogic.github.io) (Note: when using the generator, uncheck the encrypted QR code option) Or more authoritatively: Provision devices  |  Google Play EMM API  |  Google Developers

That will sideload the APK file automatically, without USB Debugging on. Yes, it's a bit of an unknown feature, particularly if you wanted to RAT-trojan a phone, remove FRP (this might not work though), or sideload any arbitrary APK without even enabling Install from Unknown Sources or USB Debugging.

Reply