Is there are way to hide my application's data folder in Android? I'm storing some stuff in sdcard/data/{package name} and I would like it to be private.
Thanks.
Update
Sorry, I meant the internal memory. I'll be using it to cache some images.
When the android security model is intact, files in your application's private storage area are only visible to your application and any other applications you have signed and assigned to share it's userid, unless you set them with world readable permission.
However, you cannot rely on this because there are a significant number of devices out there where the original security model is not intact: including development devices and emulators without it turned on, devices where the model is invalidated by bugs, or devices owned by end users who have customized (ie, "rooted") the device. In these cases the application's private files will be accessible to the end user, and likely also to some add-on tools and applications on the device.
Related
How do I ensure that a file I created with the application stays in the iOS and Android device even if the application is deleted with Flutter?
Is there a way to this?
I used flutter path_provider, I save it in the external storage in the documents folder, but when the application is deleted, the file is deleted.
Let me explain why I want to do this. Since no unique information about the device can be obtained in applications anymore, I want to do this by giving a unique id with the file I have printed in it, such as imei number or mac address.
About using "non-deletable" file
Personally, i don't think creating file that containing your unique id is reliable. On Android, user have many ways to delete your file (which is properly stored in external storage) intentionally or unintentionally.
Propose solution
iOS: using keychain with your defined unique id
Android: ANDROID_ID
But Android is somewhat unreliable itself. it has been reported that it can be null when app first run, or can be changed after factory reset. The higher android version code the more stable it is. So using it at your own risk.
Quick pick up: https://github.com/GigaDroid/flutter_udid
References:
https://stackoverflow.com/a/2785493/4478019
We have a suite of applications that depend on the sharing of a directory/files on external storage.
I've currently opted out of the Android 10 OS changes to scoping (requestLegacyExternalStorage), but this is going away and I've spent many hours trying to find a solution for simply sharing files between applications.
The only solutions that I see offered are:
SAF - which appears to make the user choose through UI. This is completely undesirable.
Use a File Content Provider - the way I understand this, I would have to make the user install an apk with my provider in it before installing any of my applications. Forcing the user to install two apks to run one application is very undesirable. (Yes, they could both be in one apk manifest but who knows which of my suite they will want to install)
Media Store - My understanding is that this also forces the user to pick something he should have no knowledge of - and is really intended for audio, video, image and downloaded directory.
Am I missing a solution for these simple requirements?
Am I missing a solution for these simple requirements?
There is no simple solution. You would basically need to have each app have its own copy of the shared data (to deal with potential uninstalls) and have some sort of synchronization protocol so each app in the suite can inform others about changes to their copy of the data.
Using SAF is the simplest approach for your scenario. Or, move the data off the device into "the cloud".
My understanding is that this also forces the user to pick something he should have no knowledge of
It is the user's device. It is the user's storage. If you put files in a user-visible location on the user's storage, they are the user's files. Your apps are merely one set of tools for working with those files, nothing more.
How can we make Android assets secure so that no one can read them after app deployment?
There is nothing you can do that will stop a determined attacker from reading them.
Using your own application level encryption would at least make the problem unique to your application, but someone could still do code analysis of your app to figure out how to decrypt them.
The platform's limited copy protection mechanisms are weaker, because they only have to be defeated once for all applications (such as by rooting the phone).
Assets utilized by platform functionality would also vulnerable to a modified platform configured to dump out copies of them.
Do what is easy to stop casual copying by unsophisticated users if you like, but then save your time and energy for battles you can actually win, such as the quality of your application.
I would like to write application (as background service) which will encrypt whole file system totally. The questions are:
Is it possible, such that all Android services will work smoothly? Like, say Microsoft's BitLocker?
If so - can someone point me to some sources/docs?
No this is not possible thought the API.
You'd have to get the source code of Android and try to implement that yourself baking your own custom system image.
However I don't think it is possible at all.
Encrypted file system would be possible only via kernel-mode driver, which means a custom ROM for a device.
Its not clear if you are doing this to be secure, or only in order for a trojan to claim payment for restoring the files ;)
Encrypting files after they have been written in plaintext will leave the plaintext spread around your Flash (or disk) until that space is later reclaimed for new files. Its basically not secure. You have to encrypt before bytes get written to disk.
Android runs on Linux, and device drivers for storage, whilst modular, are compiled into the kernel. So unless you are distributing a custom Android image, you cannot post-install install a driver on someone's device.
There has been discussion like this on the mailing list here.
How can we make Android assets secure so that no one can read them after app deployment?
There is nothing you can do that will stop a determined attacker from reading them.
Using your own application level encryption would at least make the problem unique to your application, but someone could still do code analysis of your app to figure out how to decrypt them.
The platform's limited copy protection mechanisms are weaker, because they only have to be defeated once for all applications (such as by rooting the phone).
Assets utilized by platform functionality would also vulnerable to a modified platform configured to dump out copies of them.
Do what is easy to stop casual copying by unsophisticated users if you like, but then save your time and energy for battles you can actually win, such as the quality of your application.