We are trying to create an app which will download eBook from server and store it locally on sdcard. We tried to DRM eBooks, after we download an eBook the DRM will take care of the security of the eBook. But later due to some reasons we left the DRM concept. Now I want to know whether we can store the eBook securely in the sdcard. The user cannot do any operations in the file other than viewing. Can we store the file in some other location where the user cannot view the file at all. In iOS we can download the file inside the Bundle itself, but for android???. We tried storing the pdf as a BLOB file in DB and tried to read it from there, in that case also we need to write the file and then read it. I am really confused on this Issue, can someone suggest me a good approach on how to proceed further. Any help would be really appreciable.
Personally I've avoid the SDcard given it's pretty much open to all apps, as #commonsWare mentions having it internal storage offers the Android app sandbox security.
Have you considered IOCipher from the excellent guys at the guardian project it's build on SQLCipher and it allow you to create a encrypted virtual disk. The part I love about it is that it's a clone of the java.io libraries so you should only have minimal code changes.
Files stored on the external storage are easy to read by other applications or from user's PC. You might need to encrypt your files if you don't want anybody else to get access. Well encrypted files can be places anywhere in the system without any risks of being read.
Storing files on the internal storage in your case does not sound good, because there are still too many devices out there with the limited amount of internal storage, where every megabyte counts.
Can we store the file in some other location where the user cannot view the file at all.
Not on external storage. You can put the book on internal storage, in which case only rooted device users would have access to it outside of your app.
i) keep the files encrypted which are important to you.
ii) decrypt the files and move to the internal storage during runtime.
iii) Access your files only from internal storage.
Following these things will keep your file and method calling safe as they are accessible only to internal storage.
Example:(access moved assets files from internal storage )
file:///android_asset/ => file:///data/data/com.test.exmple/files/"
You can also try tools like quixxi that do this for you transparently.
Related
My android app download several files from app server. Users have to buy these files. So, i need to hide and encrypt these files, so that users cannot play/view these files, or they cannot delete/transfer these files. What are my options here?
check out this link: Storage Options
I would give a try for SQLiteDatabase keeping files as bytes (BLOB column type) or caching in internal storage
You may also keep files in external storage in hidden folder (name starting with dot, e.g. .hiddenFolder) if you are encrypting data, but note that every app can be decompiled and all methods/ciphers may be visible then (key fetched only from server without keeping localy?) and access to external storage (e.g. SD card) is easy when folder name is known (or intuitive, or get from decompiled source)
Put those files in internal memory. No need for encryption then. Only if the device is rooted you are out of luck. Then you need encryption there too. Putting the files in a database unencrypted will fail on a rooted device too.
The idea is that.
My application allows user to listen to music and watch videos from the social network. User can save these files in cache to be able to play them offline. This data is saved to SD-card and can be accessed by file managers e t.c.
I want to limit access to these files to other application. The most obvious solution is data encryption.
Can you please recommend me some libraries or frameworks for quick file encryption/decription? It is very desirable to encrypt files "on the fly" during the are loading.
Would this procedure be too slow and resource intensive?
May be there exist some other ways - protected folder in the SD filesystem or something like that?
Yes there is a more standard way to do this.
By using openFileInput on your Context and setting the MODE_PRIVATE flag, you will be able to create files and even folders within your application. Also, these resources will be completely private to your application.
EDIT :
Most of the time, these files will be stored in /data/data/<app_package_name>/files. That is, on the phone memory most of the time, although this is implementation specific.
Regarding the comment of #Carlos mentionning file spamming, yeah you can flood the NAND with multiple files, but /data will be in most cases mounted on a dedicated partition. So you'll be hitting the virtual size of the partition at some point. Please look at this post, the accepted answer gives more details about this.
In fewer words, this is implementation specific (depends on the manufacturer).
Your only option would be to use Encryption, if you want to keep using the external storage. SpongyCastle can help with that. It is an android version of the BouncyCastle APIs.
Apart from that, you could move your files to the internal storage, which may not be feasible in your case as media files tend to be big, and internal storage on most devices is very limited. Even if you do move them to internal storage, any rooted user can access them (or any app with root privileges).
Protecting the folder isn't an option, as anything on the external storage is available to any app with permission to access the external storage. There is nothing you can do about that.
I have a project consisting of four programs for different platforms; all of them use the same XML-based settings file format. I want to be able to manually modify/overwrite it outside of the application. On Windows, Windows Mobile and Linux I'm using "user.home", but on Android that alias isn't implemented. I'm thinking about simply putting it in the Downloads directory, however, that doesn't feel right.
I can't be the only one, who needs that kind of functionality. Or this isn't Android-way? Any suggestions are appreciated.
EDIT: I'm OK with the settings file not being available all the time (i.e. SD-card removed), it's used only on the start-up of the application.
Store it in getExternalFilesDir(). This would work only if the device has an external storage. The user would be able to access it.
However, take note of the following from the docs:
External files are not always available: they will disappear if the
user mounts the external storage on a computer or removes it. See the
APIs on Environment for information in the storage state.
According to Android data storage documentation you have 5 options:
Shared Preferences. By default this will use file /data/data/your.package.name/preferences/user_preferences.xml
Internal Storage. Here you can use something like /data/data/you.package.name/user.home
External Storage. Similar to internal storage /mnt/sdcard/Android/data/your.package.name/user.home, but if user removes memory card file will be inaccessible.
SQLiteDatabase. You can store the whole user.home file in a database blob.
NetworkConnection. Store user's config in a cloud.
I am downloading files from a remote server to be saved for use on an android device. These files are mostly images and audio but I would like it so that a user cannot access this data using methods other than the app.
The issue is that these files could be large and that's why I use external storage. The problem here is that users can access the data stored on external storage by hooking the phone up to a computer.
Apart from using internal storage, do I have any options to secure the files written to disk?
If I do have to use internal storage, are there any other disadvantages other than the fact that some users might have a small amount of internal storage?
Thanks for your time! Any help will be much appreciated! :)
EDIT 1 :
The data being downloaded is paid content (via In App Billing). This is why I'm concerned about restricting access.
EDIT 2 :
I am already adding a "." before the folder I'm saving my data to. I'm more concerned about 'power' users who would know to look in hidden folders.
Seems like you are populating app's cache from web. It is always recommended to use external storage for such purposes because some users may not have enough internal memory to accommodate this.
Since you downloading includes images and audios, i wouldn't suggest you to use encryption/decryption as it will slow down the app's processing. So there's nothing much you can do to secure your data if you want to put on external memory and skip its encryption.
I personally don't think any harm/disadvantage to leave such data as it is (not encrypted). But if you have some of the files important, perhaps you may perform encryption on those particular files only.
I have to store a lot of images that have to be downloaded from the web server. The size of the images might be 80Mb. So I want a guidance where to store them, whether in internal or external storage. Both create some problems for me. Internal storage is as every one knows is very limited but the problem with external storage is that images can be accessed by user. I don't wanna my application images to be exposed to user and changed or deleted. So is there any alternative or is there any technique to safely put data into external storage?
Unfortunately no, external storage has FAT file system, which does not support access restriction. And you simply must not store such large chunks of data in internal memory (or otherwise users will not like you, to put it mildly).
So the only way to go, is to use external storage. If you need some protection, then you may either encrypt/decrypt data. Or just obfuscate data, like changing file extensions, or adding 10 bytes at the beginning of each file. Obfuscation is more efficient resource-wise, but much less protected. Though encryption key can still be extracted from your application, so both of this approaches have their flows.
I would advice to store them in the external storage. If you don't want the user to be able to read it, protect it with an encryption. I think it's a bad idea to impose large data to the user. If the user wants to remove it, you shouldn't want to prevent it. Perhaps consider the possibility of re-download the pictures from the web if it has been deleted.
Use encryption for file content:
i found nice and lightweight sample code on http://www.androidsnippets.com/encryptdecrypt-strings
I recommend saving to external. Preventing the user from deleting his data is not recommended. Also user can format the sdcard to delete it. so you cannot stop the user. You can hide it from him. Just prefix a dot to the folder name to make it hidden.
If you are using Android 2.3, OBB is your choice.
http://developer.android.com/reference/android/os/storage/StorageManager.html
OBBs contain a filesystem that maybe be encrypted on disk and mounted on-demand from an application. OBBs are a good way of providing large amounts of binary assets without packaging them into APKs as they may be multiple gigabytes in size. However, due to their size, they're most likely stored in a shared storage pool accessible from all programs. The system does not guarantee the security of the OBB file itself: if any program modifies the OBB, there is no guarantee that a read from that OBB will produce the expected output.
Related
What is OBB(Opaque Binary Blob) in Android develop site?