Download apk via captive portal

[aashishagrawall]

Hi we are making an apk file that will be downloaded via raspberry pi when someone connects to the wifi network .
For this we installed nodogsplash which opens the captive portal and we gave an a href link that references the apk file relatively

We assumed this would download the apk file just like it downloads the default image "splash.img"

Can this be done in some way ? Please guide us .

[bluewavenet]

Two points here:

1. The "web server" built into NDS is deliberately very restricted as it is intended only to serve the splash page for authentication.
2. An increasing number of mobile devices now use a cut down browser in their own captive portal detection function, that for security reasons specifically prohibit downloads including javascript.

Your initial problem is due to point 1.
If you get past this, point 2 may well be the next problem.

However to get round point 1 you can run another web server, lighttpd is one that I use.
Full details of how to set this up are included in FAS and will show you the principle.
https://nodogsplash.readthedocs.io/en/latest/authentication.html#nodogsplash-all-versions-forwarding-authentication-service-fas
https://github.com/nodogsplash/nodogsplash/tree/master/forward_authentication_service

[aashishagrawall]

Hi @bluewavenet thank you for your support.
I have implemented the FAS on NDS and I was able to configure it with lighttpd server.Everything is working fine but I am not able to find out a way to download files when the user the authenticated, when we accept the agreement.
I have just started with raspberry pi and I have no idea how to do it .Please help me

[bluewavenet]

@nomercy0
You will now be stuck at point 2 in my original reply.

An increasing number of mobile devices now use a cut down browser in their own captive portal detection function, that for security reasons specifically prohibit downloads ....

In the php code of your post authentication page in FAS, it is a simple matter to send the file to the client and many examples of code can be found with a quick search on Google.
However, there is no guarantee that the client CPD invoked "browser" will allow the download.

[aashishagrawall]

hi @bluewavenet CPD invoked browser is not allowing to download files, however normally opened browser is allowing to download files.Is there a way to switch browser from CPD opened browser to normal browser

[bluewavenet]

As this is a security feature on the mobile devices, I think there is no way to switch and if one was found a security patch would rapidly be rolled out.
What you could do is send the client an email with a link for the download. The msmtp package is good for this on openwrt as it integrates well with php sendmail.

[aashishagrawall]

It is being downloaded when I use https but security issue comes forward

> NOTE: USING HTTPS
Your FAS can be an https server, but self signed certificates will throw dire "Here Be Dragons" warnings on your client devices when the redirection to your FAS takes place. Also even if using a registered CA all browsers will still return a security error on returning to Nodogsplash. This can be prevented by using wget to return to Nodogsplash from your FAS script instead of an html GET.

How can it be prevented using wget I dont understand

[bluewavenet]

You can use wget (or curl) to signal from FAS to NDS and prevent certificate errors, but still need a proper (non-self signed) certificate on FAS.

[aashishagrawall]

hi @bluewavenet Sorry to disturb you again and again.I am new to networking ,I don't know which particular file I need to change to make this happen .Please suggest me

[bluewavenet]

If you are running FAS on your NDS then you do a php exec call to wget, passing the html "get" directly to NDS rather than via the client browser.
This would be done in fas.php, in function (acceptance), replacing the html get in that function.

[aashishagrawall]

hi @bluewavenet I have used wget in function acceptance with php exec function but still security issue occurs.This may be the case because (login) function comes before (acceptance)

$wgetg=$authaction."?" . "tok=" . $tok . "&redir=" . $landing . "?" . "userurl=" . $redir . "&tok=" .$tok ."&orgurl=" . $redir . "&clientip=" .$clientip ."&clientmac=" .$clientmac . "&username=" .$username ."&gatewayname=".$gatewayname ."&tokchk=true";
$command="wget"." ".$wgetg;
exec($command, $array, $return1);
if(!$return1){
echo "Done";
}else{
echo "fucke me";
}

[bluewavenet]

At which point are you getting the error?
Are you using certificates from a registered CA?

[aashishagrawall]

I have generated certificate using open ssl and I am not getting any error ,login page opens with security issue as previous ,I have changed the acceptance function as you said .In fas.php login function is called first but how changing acceptance function will solve the security issue I dont understand .Can you please share me wget code details with me or show me implementation by yourself ,it will be highly appreciated

[bluewavenet]

If you accept the certificate error does it all work?
Your code looks ok. The problem will be the openssl certificate as this is self generated and not from a registered CA so browsers will complain.
Try:
https://letsencrypt.org/

[bluewavenet]

To clarify what is happening:

1. NDS splash page redirects to your https fas login page. The browser gives a certificate error as the cert. was not issued by a registered CA. Fix this by using a cert from a registered CA.

2. If you fix this or accept the error and make an exception in the browser, when the FAS "get" returns to NDS in the normal way, the browser will now complain that the FAS page is linking to an insecure page. Fix this by using wget on your FAS server to signal acceptance to NDS, without the client browser having to link back to NDS its self.

[aashishagrawall]

Yes when I accept Certificate error it works fine.I looking forward to your given solution .Thanks

[bluewavenet]

Sorry, my solution is that you must use an ssl certificate from a registered CA, ie one the client browser will accept without making an exception.
You can get one for free at https://letsencrypt.org/ for example.

[aashishagrawall]

Trusted certificates don't work for local development because nobody uniquely owns it
Is there a way I can generate trusted certificate and get be verified by all client browsers when users connect to it. Example a device kept in restaurant ,customer who visits restaurant connect to local wifi and local server of it

[bluewavenet]

It is possible, for example, to generate a trusted certificate for the URL (letsencrypt does this), then have the internal web server respond, via your local DNS. It is problematic though as the live of the cert is only 90 days so needs regular renewal.
This would work better with an external web server, via FAS.

As I mentioned above, simplest of all, why not just send the clients an email with a link to the app?

I hope you don't mind me asking but why are you wanting android visitors to download an app anyway? As you can see the Android developers (and iOS devs) have gone out of their way to prevent this through a CP.

[aashishagrawall]

Each Assets of our android app is heavy around (6-8mb) so we want to fetch it locally through local server.So if assets are fetched locally why not apk file get downloaded automatically when client connects to wifi locally ,we don't want authentication system of captive portal if apk file can be downloaded automatically through local server (our use case is only to download file because providing link to google play and downloading file remotely and after downloading fetch assets locally does not make sense ,it is out of customer experience) .If you can guide how it can be achieved without sending link in email

[bluewavenet]

This is working against all the security measures built into android.
Every user will have to set their android to allow installs from unknown sources, download the file, find the file, then install. Apart from security issues, this is not the easy process needed for non technical users.

[aashishagrawall]

I am aware of issue when apk gets downloaded from unknown sources.
Can you please guide me ,how apk file can be downloaded when I connect to a wifi (local server )automatically or partially via captive portal or without it . If you can help me my hours of work will be saved
Your knowledge and experience on networking is far superior than me.
Again thanks for you support and kindness.

[bluewavenet]

This is a security issue and as far as I know, automatically downloading and installing an apk from a captive portal is blocked by Android and if it is not, it should be.

[aashishagrawall]

hi @bluewavenet ,
Can it be downloaded via clicking a link in captive portal locally not a playstore link

[bluewavenet]

Playstore does not come into it.
According to your previous tests you can make the cpd accept a download from a secure site - at least in the version of Android you tested with. You are really trying to open something that Google are striving to keep closed.
The only guaranteed way of informing the client is to send them an email by some means, eg from FAS. This means of course that you must ask them for their email address as part of the authentication you set up.

[aashishagrawall]

hi @bluewavenet
Ok Now I understand the security issue by downloading it locally.
Now I have implemented external FAS server but https is not working https://crispar.in/nodog/fas.php .This link opens in browser but don't work when I put it in splash.html however the normal http works fine .
The error given is (err connection refused) on captive portal browser.
Can you please check the link

Not needed I figured it out my self

[bluewavenet]

allow tcp port 443 to 206.189.132.16 ?
:-D

[aashishagrawall]

hi @bluewavenet
Is there a way to autoOpen captive portal when connected rather than clicking on sign in

[bluewavenet]

The CPD will automatically pop up the initial splash screen as you know.
Do you mean, can a FAS page just execute and not give a client any interaction? Then yes, it will do whatever you can program it to do in php, as after all it is executing on the remote FAS server.
Keep away from any Javascript or similar code intended for execution on the client device, as most CPDs will likely ignore it.

[aashishagrawall]

CPD is not automatically popping up ,first it shows sign in into network then after clicking that CPD comes out. I want to make this process automatic I mean that.

[bluewavenet]

CPD is designed to invoke as soon as a user of the device connects to the captive portal WiFi and only when the user connects. If the device is already connected the response depends on the vendor implementation on the device. Some will pop up the splash page after a time interval, others will give some sort of notification, such as "Sign in to the Network".
Users getting this type of notification can click the notification in some way to get the splash page, or turn off wifi, then turn on and reconnect the wifi to get the splash. User intervention is always required.
It is totally out of the control of any captive portal, by design and cannot be triggered remotely.