Sunday, September 28, 2014

security - When you lock down a Lollipop device to disable Chrome's incognito mode, this creates an XML "restrictions file". What actual XML is inside the file?


Note: If this post is too long to read, please see the summary in the last paragraph.


I own an aging Samsung Galaxy S Relay cellphone. It's running Android 4.1.2 and has a built-in physical keyboard. I don't want to upgrade to newer hardware. They say in the XDA Developers forums that, if I want a built-in physical keyboard, the Galaxy S Relay is still the most powerful option available — even though it uses technology which is more than two years old.


I want to help prevent myself from viewing pornography. (I've already joined a twelve-step program for sex addicts, but I still want a second layer of protection.)


I've installed the Qustodio web filter. This web filter only lets me choose between two web browsers: the Android stock browser, or Google Chrome. But it's easy to get around Qustodio. Oddly enough, all I have to do is to enter my browser's incognito mode. Qustodio claims that, when I enter incognito mode, it can detect what I've done and stop me from surfing the web; but, in practice, I've found that it can't.


In a help center article, Qustodio LLC does admit:



Please note that our incognito blocking feature is still experimental.




Fine. Well, I want to reliably stop myself from entering my browser's incognito mode.


I suppose I could switch to a different browser. I could choose the K9 browser. But their (Firefox-based) browser is poorly rated and hasn't received any security updates in the last two years.


Google Chrome for Android is now open source. I suppose I could modify the Chrome source code to disable incognito browsing. But it would be a hassle to keep the browser up to date.


So I guess I'd like to set the relevant Chrome policy instead. I'd need to set the IncognitoModeAvailability policy to 1 in order to disable incognito browsing.


On recent versions of Android (and definitely on Android 5.0 "Lollipop" and newer), you can use an app such as Google's BasicManagedProfile sample app. This will call the DevicePolicyManager's setApplicationRestrictions method (see documentation or source). This method will eventually call the UserManagerService's writeApplicationRestrictionsLocked method (see source). The latter method will, in turn, write some XML to a "restrictions file" in a place where Google Chrome knows to look.


Because I'm running Android 4.1.2: I doubt that I can run the sample app. And I'm sure I can't call either of the two methods.


I suppose I could upgrade the phone to a newer OS. T-Mobile doesn't offer any updates newer than Android 4.1.2. On the XDA Developers forums, "Magamo" points out that CyanogenMod seems to have withdrawn official support for the device a while ago -- even before any stable Lollipop-based ROMs were released. I could choose and find some other ROM. But I've never installed a third-party ROM before, and would rather not learn how to do so.


Dear users of Android 5.0 or higher:


What actual XML does this "restrictions file" contain? Where does it get saved?



(I suppose I could fire up Lollipop in the official emulator and find out for myself, but it's simpler to just ask here.)


Perhaps I can simply create a "restrictions file" in the correct location on my Android 4.1.2 device.


TL;DR: When you reconfigure a Lollipop device in order to disable Chrome's incognito mode, your action will cause an XML "restrictions file" to be saved to disk. What actual XML is inside the file? Where is the file stored? I want to try manually creating a "restrictions file" on a Jelly Bean device in order to see if it will do what I want.



Answer



The XML file alone will not help you. Chrome doesn't read the contents of that file directly. Instead, it accesses it via Android's UserManager.getApplicationRestrictions. In order for this to work, you actually need to set up a "work profile" on your device. In order to do that, you actually need to run the BasicManagedProfile app you have mentioned; this also requires encrypting the device.


Android 4.1.2 is kind of old. From searching at http://www.androidxref.com/, it looks like it lacks UserManager.getApplicationRestrictions. Luckily, there's another way to disable incognito browsing in Chrome. Try that way instead.


No comments:

Post a Comment

samsung galaxy s 2 - Cannot restore Kies backup after firmware upgrade

I backed up my Samsung Galaxy S2 on Kies before updating to Ice Cream Sandwich. After the upgrade I tried to restore, but the restore fails ...