I've faced one problem. I want to store a certain folder with media data here /data/data/com.package.name using Context.getExternalFilesDirs. But i want to hide the data from users. But everyone can get this files from /data/data/com.package.name folder. Even if the files are hidden, still people with rooted devices can access this data. So i need some way to encrypt or zip the folder to protect it. How can i protect the folder?
Can i use Zip with password? Is it safe?
I think it's not good practice to encrypt all binary files and decrypt them because it will take a lot of time.
There is no way to prevent user from accessing these files. If user wants them he or she can extract password from your app and decrypt zip archive.
When passwords are on your server then files can't be decrypted, but when your app downloads password to decrypt data then user can sniff that password.
If you want to store data that no one should ever access (e.g. passwords) I'm afraid that you should read about Security Through Obscurity
Basically when your application can decrypt data, advanced user can do it too.
For normal users (with non-rooted phone) storing files in /data/data/ are not accessible. But with rooted phone there is no way to stop users from getting what they want.
I found the solution. Very nice java library http://www.lingala.net/zip4j/
does the work: here is an example
public void unzipFile(){
String path= Environment.getExternalStorageDirectory().getAbsolutePath();
String source = path+"/Download/circus.zip";
String destination = path+"/Download/";
String password = "1234567";
try {
ZipFile zipFile = new ZipFile(source);
if (zipFile.isEncrypted()) {
zipFile.setPassword(password);
}
zipFile.extractAll(destination);
} catch (ZipException e) {
e.printStackTrace();
}
}
Related
I am currently creating a mobile android app in Android Studio for my church.
My app is basically a Bible which verses are linked to mp3 audio explanations from my preacher; however, I don't know whether I should save these mp3 files stored locally in the phone of the user or store them in a database.
I have been reading some things about databases and found out that SQLite is good, but stores the database locally, which is not what I want.
How can I solve this problem?
Every verse in the Bible is linked to a specific mp3 audio sermon/explanation from my preacher.
Relational Databases aren't necessarily meant to store actual files. Sure, you could store BLOB binary types, but I wouldn't suggest it. That's what file servers are for. For example, Amazon S3, or Firebase Storage.
You can store the URL to a file in the database, but store the actual file on a remote system to keep your applications size small.
You can cache the resources on disk lazily as the user reads said passage, or set up a system to stream them. That'd require more effort than just downloading the whole file once per device, though
I could not understand a lot from you question as there are too few details. If I understood correctly the question, the best way to implement this is to upload the mp3 you want to the server and in the android app play the file from the server (make a request to the web). In this case you will save to the database only the name of your mp3 and the link from the server to this file.
Another approach would be to convert your mp3 to base64 and save it in SQLite as a text datatype (as base64 string may have more than 256 chars long) and when needed you can decode it but it will be much slower than hosting everything to cloud
try {
MediaPlayer player = new MediaPlayer();
player.setAudioStreamType(AudioManager.STREAM_MUSIC);
player.setDataSource("http://xty/MRESC/images/test/xy.mp3");
player.prepare();
player.start();
} catch (Exception e) {
// TODO: handle exception
}
I have a problem. I am using xyz.db file and which is stored in asset folder. I am copying all data from xyz.db to application db which is stored in data/data/com.xyz/abc.sqlite in storage folder. Now I want to secure asset's xyz.db file. Because It can be easily extract from apk by reverse engineering. Please help me to secure my asset folder's database file.
You can perform the following to make it relatively difficult to access data in DB.
Password protected zip file to contain db which at runtime should be extracted.
Encrypt the file with symmetric key and again at runtime decrypt it.
Utilize sqlcipher that performs encryption for Data at Rest.
In both the above cases you will need to worry about storing the password or key. There is no sure shot way to protect the file but the above would require more effort and should be added as basic protection.
There's no final solution to your problem.
Any technique you'll use can be beaten by a determined skilled attacker.
You have to accept that if you want to store database xyz.sql in your apk file and you later want your app to use it, then it will be also possible for someone that reverse your app to retrieve it. Basically just because the plain text information at a certain moment will be available on the phone.
Hope i've been clean enough
Keep security in mind
As usual in Android the access rights of the database file determine who can use your database. If you follow the standard way presented in the following posts of this series, your database file will be located within the private directory of your app. This means that your app owns the database file and no one else can access it. Even using the other less common ways to create the database you can only grant access to the file. Thus others can access all of your database or nothing. There is no middle ground.
Still: You should never rely on data being safe from prying eyes in the database. Any sensitive data should be encrypted. Very sensitive data should not be stored on the device at all. Keep in mind that if the device gets lost, any misbehaving finder of the device can gain access to the database file as well as to your app. On a rooted device all files can be read. Apps like SQLite Editor make it easy to read even sensitive data – if they are not encrypted:
In cases where data privacy is of utmost importance, you have to revert to secured services or force the user to enter a secret every time before encrypting and storing the data or reading and decrypting them respectively.
source
I have a dilemma, i need save some security data on my Android device, this data is login information to personal cabinet, so can you please, give me an advice where is better to save this info into simple txt file(but what about security?) or maybe is there analog of MySQL DB in Android platform(and how i can access it)?
The best way to store personal data in Android application is using shared preferences with mode private, so that nobody can access that data other than your application.
for more details see Android developers tips about shared preferences here.
AFAIK you cannot run MySQL on a android device but you can use SQLite (tutorial). You could even try using SQLCipher to store it in a encrypted database. Although I'm told it's not too hard to extract the access key from your APK.
When you store you password, make sure you encrypt it (even if you are encrypting the database). Storing passwords as plain text is rarely a good idea ;)
Whatever you do, do NOT store it in a text file!
You can save the simple txt file into your application directory. In General, Android assigns each application a unique uid. Each application has its own application directory with mode 660. So other application cannot access its content. To write your own application directory, you can use the following code:
String filename = "myfile";
String string = "Your security content";
FileOutputStream outputStream;
try {
outputStream = openFileOutput(filename, Context.MODE_PRIVATE);
string = encrypt(string);
outputStream.write(string.getBytes());
outputStream.close();
} catch (Exception e) {
e.printStackTrace();
}
However, if the target device is a rooted device, other application can access your file. So a better approach is to encrypt your data, and save it into the application directory.
For a database approach, it has the same problem, you can define your own content provider without exporting it out, but it is still vulnerable on a rooted device. So whatever you choose, writing txt file or storing it on DB, encrypt it first is necessary.
You could store the details in the SQLdb on android but save all the form details using encryption and just persist the strings.
You can see in the answer below an example of someone doing this exact same technique and using the phoneId for the encryption (although I'm not sure how safe that really is).
Is it safe to store username + passwords in a local SQLite db in Android?
I want to be sure that my app's content is safe. I have a password for encrypted database inside of my app and I just want to figure out if there are safe places in my project which can't be accessed by reverse engineering.
And it would be great if u explain shortly how reverse engineering works. ThanQ.
And plz don't post links to ProGuard!
Any hard-coded value CAN be viewed by reverse engineering your app.
This includes passwords, urls, etc.
In order to reverse engineer an android app, proceed with the following steps:
1- Rename your app's APK file to ZIP (e.g. myapp.apk -> myapp.zip)
2- Open the zip file and retrieve the classes.dex file.
3- Use dex2jar to get a jar file from classes.dex
4- Use jd-gui to open the jar file and view your original code.
Haawa,
If you are storing the password in your app as a static string, it is NOT safe. It is trivially easy to get to it, even if you are using ProGuard. The best way to safeguard it is to not store it at all. Instead, if possible, have your app send a unique identifier of some kind to a server that validates the user (possibly using LVL), then the server hands back a DB password or the actual DB data itself (stored on the server).
If this is not possible, or if you don't have access to your own server, at least obfuscate the string in some way by storing it as a XOR'ed string or better yet, come up with your own function to obsfucate the string. NEVER have a line in your java code that looks like password = "mypass";
In reverse engineering : your .apk file Rename from .apk to .zip file , then abstract zip file and find your folder,
But You can not able for find .class file of your Project
Reverse engineering is more about recreating intellectual property by careful analyzing application's behavior aspects. Regarding security matters, I think, social engineering should be of more concern to you
Others have explained the reverse engineering, so I will explain how you should encrypt the database.
You should encrypt the database using the user's credentials (username and password or PIN) as the key. When the user starts the application, they should be prompted for the credentials. The key should not be hard coded.
This prevents an attacker from accessing the user's data without having the credentials.
If you are trying to hide the data from everyone including the user, yet have the application be able to access it, then you have to store it on the server and only request the data that you're willing to show to the user.
In my task i need to read and write the file in Raw folder. I did the first one to read the file from my project, Now i want to Write the same file. So it easy for me to make any update in that file.
On Seeing this How to write files to assets folder or raw folder in android?
I allow the user to set password ie writing the pass into the file then read the pass and validate if it matches. Is it possible to Write file in Raw Folder
Any data present in the "res" folder is not writable. You can only read data from it. You can never write data to res folder on the fly. If you are looking for a way to store username and password credentials, you can make use of Shared Prefrence
Here is an example on how to use it.
http://marakana.com/forums/android/examples/63.html
Edit 1
Storing data in Shared Preference is persistent unless user clears the data using "clear data" button in your settings page.Navigate to settings->manage apps->your app. Here you will be seeing uninstall button and clear data button. And one more thing in android is you will never be able to save a persistent data. You can't use any data storage methods like preference, sqlite or file system to store a data for permanent. If user wants to wipe the data he clicks on "Clear Data" button and your data are gone. So you have make your coding in such a way to handle this.
Since this is not possible, you could try to use your app's resources which is write protected and not possible to write to it. So it depends on user or you might have to use your server to store the data over there.
No,it's not possible to write file in raw folder
you should use shared prefrence for that.
http://samir-mangroliya.blogspot.in/p/android-shared-preferences.html
Yes, it cannot be done. Instead of trying to write in raw directory, Update your files in the local file system by using Shared Preferences as described in below link :
Please refer http://developer.android.com/guide/topics/data/data-storage.html#filesInternal.
Any data present in the "res" folder is not writable. You can only read data from it.
See this tutorial from the Android Dev site :
http://developer.android.com/training/basics/data-storage/files.html
String filename = "myfile";
String string = "Hello world!";
FileOutputStream outputStream;
try {
outputStream = openFileOutput(filename, Context.MODE_PRIVATE);
outputStream.write(string.getBytes());
outputStream.close();
} catch (Exception e) {
e.printStackTrace();
}