I do have an android application that downloads PDF files for display in a magazine app.
To secure the data I am already setting a user password. I was additionally thinking of removing the last 100 bytes of each file when stored on the device and adding them during run-time.
This at least would render the PDF not readable anymore.
Does anyone have a suggestion on how to achieve this with moderate effort and at the same time keeping the calulcating overhead low?
Thanks for any advice here.
encryption seems to be the best approach for you.
https://developer.android.com/reference/javax/crypto/package-summary.html
How to encrypt and decrypt file in Android?
Related
One way I know is to put in assets but thats can't be proguarded and is easily available after decompiling. What are some other ways?
Thanks in advance!
Simple answer is: you can't. You want to make it readable and not readable at the same time. This won't work, never did and never will, unless you're running your software on a locked-down hardware.
You may only make it more or less annoying to extract your precious data from the app. The most obvious way is to encrypt it and decrypt it at runtime. Of course determined attacker will extract the keys and decrypt it without troubles.
You can download it from some backend server at runtime and save on the flash in private data region - of course somebody can just peek inside and copy the files, but APK analysis won't disclose the data.
Finally, somebody can just dump RAM with JSON contents and bypass your "security".
You could encode it with something like AES but even then the data will not be save. It will just be harder to decompile. Additionally, you need to decode it every time you use it.
I am creating an app having a large database file of 450 MB. I am storing it in SD card. I want to secure it as it has some sensitive data. If anyone can tell me the best way to do it, it will solve my problem.
I also tried a sample but it was working for small DB file. If I am using 450 MB Db, it is not working and it takes a very long time.
And also please let me know whether it is possible or not to secure such a large data.
It kind of is, but not really. You can encrypt it, and get the decryption key from a server. There is no other way to secure it, as the user can always pop the sd card into an sd card reader. And if the decryption key is local they can decompile your app.
Here's the problem- the encrypted file can't be used by SQLite. So you'd have to decrypt it to disk, and it can be grabbed at that point. So no, its not really possible to secure a database file at all. You're better off keeping the information on a server and querying it via webservice if you want to keep the data secret.
I am trying to build a application which will be a Ebook kind of (Lot of theory & diagrams) will be there.
Now what i want to know is that since there are many ways of storing the data which one will be the best
Storing in Database
XML
Or simple text files
I am very concerned about the security of the data as well. Since this will be a paid app, i want the data to be secured and also be fast and convenient.
Also, I thought of converting the doc files (Data) in to epub format & then use epub api's to access the data and show it on the android app screen, will this be a gud idea to go for? as compared to the above ways?
Which one will be more secure, fast, flexible & easy!
It depends on how you will access to this data. If you will store in xml you will must to read the whole file from the start to access to chapter (or load to memory, for example). It's not good idea if you will store big data.
Storing in SQL faster. You can gain access to any chapter. You don't need to read all data, like in xml.
Simple text file has the same problem like XML (xml is textfile).
The only one way to secure you data - encrypt it. If user will get root on their device, he will gain access to your files and databases. There is no meaning where you will store your data.
Depends on what is more important to you - speed or security.
Speed
Definitely SQLite, it isn't exactly the cleanest, but definitely the fastest way.
Security
Custom files which are encrypted - it will take a while to read the whole file and then decrypt it in order to display it, but you can be sure that the attacker will access the files encrypted and without the knowledge of the encryption - those data would be useless to him.
EPUB
If you're concerned about security then don't, unless you know how to apply DRM...and that is not a way to go honestly.
I think that the best way to store big amount of data is database. In Android it is sqlite database. I recommend you to put all your text data into sqlite database. You can structure it in easy and beautiful way. Then put your images into assets folder and store the pathes to the the images in database.
Advantages of database solution:
Always well structured data
Easy way to update data with version control system.
You can store and get fast accesses to really big amount of data.
You can use encryption to protect your data.
Disadvantages
It is more complicate to write good code for database solution then for XML or JSON one.
P.S If you will decide to use XML I recommend you to change it to JSON. It is faster and easier to use.
Which one will be more secure, fast, flexible & easy!
Secure: It mainly depends on encryption system.
Fast: SQLite, you can read some advantages of SQLite here Android Performance : Flat file vs SQLite
Flexible and easy: Storing the encrypted files in internal storage is a flexible and easy way. I think it is secure enough. Here you can get some android security tips about storing data http://developer.android.com/training/articles/security-tips.html#StoringData
for saving little data you can use xml for strings but you lose fast loading factor
sqlite is good for almost every purpose, but Security
I have a library app where I store different books as sqlite dbs. The number of books can go on increasing and this gives SqliteFullException when internal storage is used. If I use external storage then is there a way that the user won't be able to access these files? Also, what is the best way to save such large number of databases without exposing them to users?
tough call. currently there is no protection in sdcard.
the internal memory is limited.
if your db file is limited in size <10 mb you can encrypt them and put it in the sdcard, and decrypt it when you want. the size limit is for the decryption time. larger files take longer to decrypt.
currently only security through obscurity is possible.
EDIT
as for your large you can have one db per book.
I would suggest creating a webservice where you store all your data and let the client(phone) request the needed info from the webservice. You can protect your data by building authentication functionality into your webservice.
I m designing a big android application, where there are XMLs to store temporary data, images captured by camera and other details. Which is the best way to protect them from outer access from phone or from PC. XMLs can be encrypted. And images too, however there are times when they need to be accessed very often and encrypting-decrypting is very heavy operation. XML encryption is manageable but images cause memory problems. Is there any alternative way, something at folder level ?
Ok, so the "enemy" is the malicious user? If that's the case, there is very little you can do, especially on a root-ed phone. Essentially, since your application is the guest here, you can't really prevent your host from kicking you out.
However, there are a few things you can do to deter them from doing so. You can encrypt the XML and image, but as Macarse raised, the decryption key would have to be on the apk itself or if you contact a server to get decryption key, it is possible for an advanced attacker to spoof a request which your server wouldn't be able to distinguish with real key requests. I'd go against asking the server, it's too much hassle with little gain.
Another you can do is to devise a proprietary image format, then no standard image editing tools can edit the image. However, an advanced attacker could still reverse engineer your image format, and write a converter to a standard image format.
The third thing and most realistic you can do is to just not store the image on the phone. When you take a snap, then immediately send it to the server, so you wouldn't need to mess with securely saving the image. An attacker can still intercept the network traffic as it is being sent or they can tamper your apk(!) such that the program would save a copy of the image to the phone. You can probably do some self-authenticating apk, but that's usually much more hassle than it's worth.
In short, there is little you can do against your host. It all depends on how valuable is the data you're securing, and how likely someone would spend that much time on trying to break your security, to get to the prize.
I'd say, just encrypt the image using a locally stored decryption key, unless you have a real reason to suspect that someone would spend their time to reverse engineer your code.
There is not such a secure thing to do with assets.
If you store stuff on res/raw it can be read by other applications on a normal phone but yes on a rooted one.
If you encrypt data, the decryption key will be available in your code. Easy to get it having the apk and apktool.
Perhaps you can do some of that but also obfuscating the code (Android developer guides recommend ProGuard).