Can anyone confirm that the documents directory file storage method with Flutter is secure or whether the AppData directory is where/how Android stores its Internal Storage files?
I'm looking at storing some persistent local data on the device but I want to make sure the data I write is not plain text or accessible by anyone/anything else. If this was a regular Android application, I'd be using Android's Internal Storage which says data stored is "private to your application and other applications cannot access them (nor can the user). When the user uninstalls your application, these files are removed."
Flutter has its own platform-agnostic way to read and write files and its documentation says saving things to its documents directory stores files "only it can access. The system clears the directory only when the app is deleted. On iOS, this corresponds to NSDocumentsDirectory. On Android, this is the AppData directory."
It looks like these are talking about the same thing and would therefore meet my security criteria, but these are things I'm not very familiar with and I don't want to take a risk with my users' data. I tried googling to find out what gets saved in the "AppData" directory on Android but mostly found people talking about their Android Studio installations.
Yes, NSDocumentDirectory on iOS and AppData on Android are secure locations.
This line from the example gives you the correct path for storing files which can only be accessed by your app:
String dir = (await PathProvider.getApplicationDocumentsDirectory()).path;
On Android dir resolves/data/data/com.yourcompany.AppName/. On iOS devices the folder is /var/mobile/Containers/Data/APP_ID/Documents.
Check the Android Security Tips , the section on Internal Storage:
By default, files that you create on internal storage are accessible
only to your app. Android implements this protection, and it's
sufficient for most applications.
The exception here is that when your app runs on a rooted Android device, the app data folder is not secure any more, see https://stackoverflow.com/a/8184699.
Related
I need to download files on my mobile device and make them accessible for other apps (using Android and iOS).
I managed to download a file to the SD card (cordova.file.externalDataDirectory), but this only exists on Android and even then I cannot rely on every device having an SD card.
When I download to the device storage (cordova.file.dataDirectory), the file is private to my app and therefore not accessible for other apps. The file can be opened in the InAppBrowser, but I would prefer to use the respective default app.
Is there a way to get a path to a directory publicly available on all devices?
The paths returned by the solution suggested in https://stackoverflow.com/a/21375812/3432305 are both private on Android...
EDIT:
I think I should describe my use case so it's clearer what I'm trying to achieve: I want to open files from my in app chat using the respective default app (pdf viewer, image viewer etc.). Because the Cordova File Opener plugin only accepts files from the local file system, I need to save them first. But they don't necessarily need to be accessible from outside my app afterwards...
On Android, external storage directories always exist; if the device doesn't have a physical SD card, Android will emulate it. see getExternalStorageDirectory :
Note: don't be confused by the word "external" here. This directory
can better be thought as media/shared storage. It is a filesystem that
can hold a relatively large amount of data and that is shared across
all applications (does not enforce permissions). Traditionally this is
an SD card, but it may also be implemented as built-in storage in a
device that is distinct from the protected internal storage and can be
mounted as a filesystem on a computer.
Therefore cordova.file.externalDataDirectory will always resolve. However, for sharing data between apps, you probably want to use cordova.file.externalRootDirectory - External storage (SD card) root. See cordova-plugin-file.
This way you can store files in a place that's easier to access from another app e.g. /sdcard/my_shared_data/
On iOS, it's more difficult to share files because apps are intentionally isolated from each other due to security policy, as Apple's Inter-App Communication Guide says:
Apps communicate only indirectly with other apps on a device
You best bet on iOS is to share the data by synching it via iCloud. See the section Configuring a Common Ubiquity Container for Multiple Apps in iCloud Design Guide, which says:
... perhaps you provide two apps that interoperate and need
access to each other’s files. In both of these examples, you obtain
the needed access by specifying a common ubiquity container and then
requesting access to it from each app.
My application generates some .csv files while running and these files are placed inside Android File system. These files are accessible outside the application also(as i can open these files in text editor and modify...)
Now I want that only my application should be able to read/write into these files.
Please help me in achieving this.
Thanks a lot.
These files are accessible outside the application also(as i can open these files in text editor and modify...)
Presumably that means you are placing them on external storage.
Now I want that only my application should be able to read/write into these files
Place the files on internal storage. This will prevent ordinary Android users from accessing the files except via your app.
Owners of rooted devices can get at those files, and if you are concerned about that scenario, then do not create any files at all, as owners of rooted devices can get to anything.
Also see article here: http://developer.android.com/training/basics/data-storage/files.html
It informs about internal vs external storage as well as making data public vs private for your app.
How to find junk files in android. I don't want someone to code for me.
I just want to know how could i know whether a file is junk or not.
Or what are the criteria for checking a junk files. Or where must be
junk files stored .As in windows some files are stored in TEMPDATA and some data is stored in APPDATA. Where does android store these files.
And when can i delete these files. These can be shared by some
app.How could i know whether to delete it or not.
As this app does.
Due to the security mode in each Android app runs in its own sandbox. Temporary or junk files created by the app are stored in the apps own data folder located at:
storage/data/data/apppackagename
There may be any kind of file stored in this location including databases and preferences for the app.
This system allows android to remove the files easily when the app is uninstalled, or when the user goes to android settings for the app and selects clear data.
On non-rooted devices no other apps will have access to this folder.
It is possible for an app to write a file to the to external storage on the device. These files will persist after the app has been uninstalled, but you will have no way of knowing where the file has come from and if it is still needed.
I want to password protect my local phone directory folder
This folder (directory) has been created by my application at run time with password protection.
My application can open this folder and used for self.
Any one can't open this folder manually. It is possible in android.
Thanks in advance.
This is not possible on Android.
You could create your folder on the internal memory, so that only your app can access it on normal devices. However, anyone with a rooted device will be able to browse your folder using a file manager, and other apps will also be able to read its contents if given root access.
A folder on the external storage is accessible to all apps with the READ_EXTERNAL_STORAGE permission, so you'll want to avoid using that.
At any rate, there is no 100% effective way to secure your folder such that only your app can access it.
However, you could try encrypting your data. This is what many apps like whatsapp do. Even when Whatsapp backs up the chats to the external storage, it is AES encrypted so that while others can access the data, they can't read it without decrypting it first. I would recommend that your try encryption
I have a project consisting of four programs for different platforms; all of them use the same XML-based settings file format. I want to be able to manually modify/overwrite it outside of the application. On Windows, Windows Mobile and Linux I'm using "user.home", but on Android that alias isn't implemented. I'm thinking about simply putting it in the Downloads directory, however, that doesn't feel right.
I can't be the only one, who needs that kind of functionality. Or this isn't Android-way? Any suggestions are appreciated.
EDIT: I'm OK with the settings file not being available all the time (i.e. SD-card removed), it's used only on the start-up of the application.
Store it in getExternalFilesDir(). This would work only if the device has an external storage. The user would be able to access it.
However, take note of the following from the docs:
External files are not always available: they will disappear if the
user mounts the external storage on a computer or removes it. See the
APIs on Environment for information in the storage state.
According to Android data storage documentation you have 5 options:
Shared Preferences. By default this will use file /data/data/your.package.name/preferences/user_preferences.xml
Internal Storage. Here you can use something like /data/data/you.package.name/user.home
External Storage. Similar to internal storage /mnt/sdcard/Android/data/your.package.name/user.home, but if user removes memory card file will be inaccessible.
SQLiteDatabase. You can store the whole user.home file in a database blob.
NetworkConnection. Store user's config in a cloud.