Using firewall rules to restrict app store access - app-store

I'm using OpenWRT and playing with IPtables rules on my router.
I was wondering if there is a way of allowing only certain apps to be downloaded through the Mac App Store or Google Play Store using firewall rules (different app downloads might be indistinguishable).
Anyone knows how the Stores work?

You cannot restrict apps download using IPtable. The Router would need to look into the data packets that are transmitted and this is not possible using IPtables.
The only way you can restrict this is by either blocking app download completly by blocking access to the app store domains or by ensuring that the devices have a policy installed that tells them which apps are allowed to be installed.

Related

Secure, local IoT Device Discovery using PWA without a remote server

I'm looking for a way to managing and controlling IoT devices without the (constant) need for a remote server to be part in it and with a PWA instead of a native application on the managing device. The resulting goal is an IoT device that keeps working when a product eventually goes obsolete (no more server running/allocated) and having an application that has PWA benefits like always up-to-date, easy to replicated and cheaply hosted on something like S3.
As an example, let's say I have one or more IoT devices of different classes like an ESP8266 and a Raspberry Pi for instance. Just as with any new IoT device I want to add it to the network and from there on manage its state from an app. The app in this case is a PWA instead of full blown native app.
1) Traditionally, in the initial setup a native app would scan for wifi networks, connecting automatically to one that has the right name. Using PWA's we are limited to just the "state" of the network. So users would have to manually switch to the network of the newly connected IoT device. This is okay.
2) Next up, the user would need to enter his/her wifi credentials. There might be methods to set this up automatically using a native app, but I don't believe this is the case on a PWA. This, also, is okay.
3) The device then restarts, tries to connect to the network set up in (2). If set up correctly it should get its IP using DHCP. And now things get difficult. I want to 'discover' that network from my PWA. There used to be a way to retrieve the IP from a device using the WebRTC API. but that since has changed to show an obfuscated mdns that resolves to localhost. The ip leak would have allowed for a browser based network scan, but that is no longer possible. I always hoped that Android would default to using a users router as a DNS server, but that is not the case. The result is that simply using an mDNS isn't an option either. I do not want user having to check their router, install an app like fing or do anything else that disrupts the flow from a UX perspective.
Step (3) needs to run every time the app starts so you'd want something reliable. Scanning for devices isn't possible using a PWA, so I need to find another method. I was thinking of something like the way Docker containers can find each other in between networks (see etcd for example), using a predefined key that is shared during installation. The problem with this, is that it requires a remote server to store the IPs attached to that key. I don't want that.
Ideas on how to solve this are very much appreciated! I want to be able to offer a solution that would work even when WAN is out. That being said, I am aware that a connection to a remote server is needed if the end user would want to enable any voice assistant or wants to control a device from WAN.

Is it possible to build a VPN without an actual server?

After searching online most places have stated that it is required to have a server to build a VPN, but I was wondering if it is possible to do it and have mobile devices connect to a dummy server? Without actually having something constantly running on a server.
I am currently developing an app that will make users connect to a VPN that blocks access to all sites.
Define "server". If you are worried about cost of hardware/power, bear in mind that a server is just a computer that hosts applications or data for clients to access and interact with. I currently have a Dell latitude e6400 running as an owncloud server in my basement. If you need something for testing you could simply utilize whatever old hardware you have laying around to set up the server side for your app to connect to, and turn it on whenever you are testing the app.

How does iTether work (html5 iphone api)

How does something like itether work? Is there an HTML5 api that gives you this level of access to the device? I would assume giving a web based app this much access is a huge security risk.
Tethering's HTML5 app works by by using the iPhone as a proxy server,
so one sets up an ad-hoc Wi-Fi network and runs special desktop software
to direct HTTP traffic to the iPhone.
The HTML5 page loaded onto the iPhone pushes the traffic on and
returns the result, creating tethering without having to get approval
from Apple, or the network operator. ( Original Source )
I think they are using HTML WebSockets detects the presence of a proxy server and automatically sets up a tunnel to pass through the proxy.

How to access remote connection requests from safari, facebook and other applications on iPhone

I noticed one application on app store recently named onavo which access internet connection usage from other applications on iPhone like safari, facebook, youtube, etc. Is there any API available for this. How they have implemented it. Curious to know about it.
I've found the answer on Quora. As follow:
http://www.quora.com/How-is-Onavo-able-to-direct-all-the-data-traffic-to-their-proxy-without-using-iOS-private-APIs
Roi Tiger, CTO of Onavo
Hi, I'm the CTO of Onavo, thank you for checking out our service. After installing Onavo you are prompted to install a configuration profile which allows the data to be redirected through Onavo's servers using a proxy server settings.
Configuration profile installation does not require any private API access in the iOS platform.
Another answer:
http://www.quora.com/How-does-Onavo-manage-to-compress-data-traffic
They're not monitoring the apps’ data usage on the phone itself. It looks like Onavo sets up a proxy on the phone (probably via a configuration profile) so that your data traffic goes through their servers, so monitoring which sites that traffic is going through is trivial on their end. From their privacy policy (emphasis mine):
Onavo provides services for reducing data usage of certain mobile phones. To benefit from the Services, your access to the Internet through your mobile phone will be routed through Onavo's servers, which strive to reduce the volume of your downloads, and potentially your uploads as well.

How do I write a desktop application that syncs with the iPhone?

For example, how would I write a program like senuti? Are there any libraries I can use for this? It would be ideal if I could do this in Python or .Net, but I'm open to other things as well.
There are three things you can do:
Add some code to your iPhone application which acts as some kind of server (http, SMB, etc). Then your mac/windows full client application can connect to this server over wifi. This is safe and reliable, but unfortunately the app will have to be running on the iPhone at the time of sync.
Sync to the "cloud". EG: Have your iPhone app save some data to a web server on the internet (you could use amazon EC2, windows Azure, or even just a PHP script running on a cheap hosting account), and then have your windows/mac client also connect to this web server to retrieve the data. This is the most user-friendly, but it requires you to pay for the hosting of the web server, and will be unsuitable for large amounts of data
Violate the EULA and try to reverse engineer the way iTunes communicates with the iPhone.
This is how senuti works, but I wouldn't recommend it, as they're constantly having to play catchup with apple changing the format underneath them, and they are probably exposed to some kind of legal action, if apple ever bothered to sue them.
i believe Version 3.0 will resolve this as it allows you to program apps to the USB interface. check out some of the documentation for that in the External Accessory framework.
it would still require the app to be open, so essentially would mean two syncs (or more if you have multiple apps)
There is no legal / official way of doing this. Creating a program that would sync with an iPhone would violate the EULA you agree to when using the iPhone and iTunes.
Not only is it illegal, but it's also impossible to do this reliably. Apple could break the method at any time without any notice, and it would pretty much be a cat-and-mouse game.
I only know of one application that something of the kind, and it is the iToner application which synchronizes ringtones.