Segue worked with the client to develop native iOS and Android web browser applications to securely administer web-based tests, while also enabling the tablets to be used for daily classroom activities. Given the need to progressively identify and mitigate potential test taking exploits as they were identified, Segue used an iterative Agile approach that allowed us to collaborate with the client, developing the highest value and highest risk features first, and discovering and mitigating additional needs along the way. Within two weeks, Segue deployed the initial version of the mobile iOS and Android web browser applications to the client’s environment for live testing with their web-based tests and provided frequent updates thereafter for additional testing and review.
Existing mobile web browsers do not support robust customization or security and a solution designed for them would not meet the following requirements:
- Prevent students from using navigation controls other than those provided within the test
- Prevent students from exiting the test and switching to another application
- Prevent students from copying and pasting text
- Prevent students from taking screenshots, using audio or video, or connecting to external accessories
Therefore, to meet these requirements, Segue created native iOS and Android web browser applications comprised of a single web view and introduced features on the app level and within the browser view to meet these critical security requirements. The solution was comprised of the following components:
Curriculum test administrators wanted the ability to direct the web browser toward specific test URLs and wanted to ensure that students could not change them, so we created a settings bundle in the built in iOS settings application. This allowed the test administrator to disable Guided Access, change the test URL via the settings app, then restart the secure browser and enable guided access to make sure they could not be changed.
One of our greatest difficulties was disabling copy and paste because it is a feature that exists on the operating system level in iOS. Since almost everything in the secure browser happens within a web view, it inherits the default copy/paste functionality. To override this we needed to subclass the web view so we could modify the default menu controller to specify our own options for when the user presses and holds their finger on a text item.
Android Web Browser Application: As an open source platform, Android respects the user’s desire for customization, while protecting them from malicious activity. Applications are not permitted to do certain things that might be construed as harmful to the user – for example to override the home button or programmatically enforce the use of a particular input method such as a particular software keyboard. You wouldn’t want an app that prevented you from running other apps or a keyboard that forced itself on you so that it could send your keystrokes home to a 3rd party. However, the open source nature of Android created a few more security challenges then iOS, so we had some additional challenges to overcome.
To determine if the user left the web browser application, we relied on Android’s lifecycle methods – onPause and onResume, to determine if the user left the application. This necessitated controlling changes on device rotation, so that turning the device around would not be construed as leaving the application. We also used Android’s WakeLock’s to keep the device active during the test – primarily to keep the screen on and network active, but as a handy side effect preventing a suspend/resume cycle, which could look like leaving the app.
Locking down copy and paste was probably the most challenging. We could clear the clipboard on coming in and going out of the application, but how to clear it within the application? Android’s WebView component uses a Contextual Action Bar (CAB), and access to it is not available via the API. We had no way of removing the copy and paste functionality from the CAB. Fortunately the Java Reflection API came to the rescue, allowing us access to the otherwise hidden code to remove the copy and paste buttons. This allowed for text selection to work normally. This kind of workaround is not for the faint of heart – by nature it’s very brittle. There could be manufacturer changes to what appears on the CAB, the order of items, etc. Additionally there are some major changes underway in the Android 4.x releases to the WebView component. We could only work around those versions that we had access to – it will definitely require testing and maintenance.
For the Input Method problem, we implemented our own keyboard based on the Android 4.0 keyboard, but with things like spelling correction, etc. removed. Ultimately this was not something we could completely lock down, since they also wanted to support hardware keyboards.
At the end of the day, someone requiring or desiring this strict control may be better off rolling their own Android device with a customized version of Android that locks many of these things down at the platform level, or working with Google to extend the operating system to provide additional controls. Restricted profiles, new in Android 4.3, are a good first step, but still won’t provide everything.
While the secure mobile testing application project was challenging, the team ultimately overcame all the highest priority technical and security challenges, delivering high qualify apps over the course of two months, and collaborating with the client along the way to react to changes. Our team enjoyed the opportunity to solve challenging technical problems, which provided an opportunity to learn new technical skills and apply creative architecture and development approaches. We’re looking forward to our next challenge!