I want to save some files on SDCard which will be downloaded from net. The user should not be able to have direct access to it. I mean the file should be secure and it should not be transferred to other device and if its transferred then it should not be in readable format. Is there a particular directory on SDCard where these files can be saved and be secure too? Also this files should be automatically deleted on uninstall of the app. I guess there is a direct way of that in Android 2.2 but not below that. So, if someone has any idea of doing that then please let me know.
Encryption. If you're concerned about the user reading a file that's the closest answer you'll find -- but you need a secure way to store the decryption key also, which is not really attainable.
Realistically, anything that must not be viewed by the device owner must not be on the device.
If the files are in the physical possession of a dedicated user there is no practical way to make them impossible to copy. You can make them DIFFICULT to copy, but not impossible.
If you use encryption as #mah pointed out, and then don't store the key on the device: fetch the key from a server, retain it in memory and never write out the decrypted file or the key to disk you might be ok in deterring the casual pirate. The dedicated souls will figure it out.
Related
I am writing an app for my final year project, so it's more so for proof of concept so it doesn't have to be the best app in the world.
It is like a file locker app that you can add and remove files from the app and when they are stored they will be encrypted. There will be a login of some sort for the user to enter and be verified on a DB.
I am still a novice in android so I still have a way to go, but I am getting there!
I was thinking when the file (which could be a doc, pdf, jpg, video file etc) is added to the app it would be stored in the internal storage (from what I have read it seems to be the best place to store app related content) and a record of the name and file type would be added to the DB and also the encrypted file name. So when the user looks at the app they will see a thumbnail of the pic and the file name, kinda like the My Files app shows up files within a folder.
My question is it best not to store the file directly into the DB but just use the DB as a reference with the file details, if so how could this be done?
Also I was thinking that an AES 128bit encryption method would be best suited for this. I have tried a couple of encryption examples but have only been able to do this with a txt file, when i tried it with a jpg the app just sat there and did nothing. It showed the encrypted and decrypted jpg but this was not viewable.
Would anyone be able to suggest a good way of encrypting any file type that would suit for my app?
Any help would be greatly appreciated!
Cheers,
Owen
If you want to do this properly, here are a few tips:
Don't store files in the database, unless you know in advance that they're going to be really titchy. Store them somewhere else, with a reference to them in the database.
The best place for them if they're smallish is internal storage in the app's private file space. But if you want to be able to store encrypted arbitrary data then you'll need to hit external storage.
Don't store the decryption key!
Ideally, you should find a way not to write the file anywhere when you decrypt it. That might not be possible, though, if you need to open it in another application afterwards. If you write the encrypted files to external storage, you should at the very least write the decrypted version to internal storage where there's some operating system protection against other apps reading it. If you write the decrypted file to external storage, anything will be able to get at it.
AES with a 128-bit key will do you fine.
I'm making an Android app that generates an Excel file using JExcelApi. The content of the fiel is also available as plain text but it's not stored anywhere (I'm using it for displaying it on a TextView; the content isn't too complex).
To simplify things I store the Excel file on the SD card root directory. I know it's not good practice, but this app is not meant for wide distribution and it's only used for internal purposes in my company, so I'm not too worried about it. When the app generates the file, you can either press a "send XLS" button on the main view which will create a SEND_ACTION intent so you can send the file through email, Dropbox or whatever, or you can just simply plug the phone to a computer, mount it as USB storage and get the file.
However, soon we're going to need to send the app to some of our clients and some changes need to be done. We don't want our clients to access the XLS file, so I need to protect it somehow. Unfortunately, JExcelApi does not support password protected files, so I need to find an alternative way to protect it.
Regarding the "send" button: I was thinking about adding a simple password dialog, so that the user needs to type in a hard-coded password first before the intent is sent. I still haven't taken a look at this, though.
What worries me the most is the XLS file. Ideally, it should still be available on the SD card's root folder, but I realize that this may make things much harder than necessary. Using the app's private storage would be option because the file would be "invisible", but this can be easily beaten by using a rooted phone. I've taken a look around the Cipher class but I'm not sure how I could apply it to my case: the JExcelApi manages the opening and saving of files by itself and I can't use CipherOutputStream to save the file; I also need to be able to decrypt the file on a PC.
What should I do? Is there any way to encrypt the file in Android in a way that would make it possible to decrypt it on a PC? Should I find some other Excel APIs that support password protection (are there even any)?
About the security requirements: the content of the report is not critical and it wouldn't be a big deal if our clients got access to it (I mean, the content itself is displayed on screen!), but I'd like to make it annoying enough that our clients would cease to insist accessing the XLS file, if they ever tried to.
TL;DR: how do I encrypt any kind of file in Android?
I'm not very familiar with encryption on Android, but there's the Bouncycastle library that can be used for encrytion on Android. There might be some pitfalls, but apparently you can also use Android's own Cipher class for en-/decrypting using different algorithms.
If you want to share the encrypted data you'll have to have a shared key in order to let the recipient decrypt it.
I want to set read-only permission on external micro-sd card programatically, and user should not be able to access it form phone menu too.
or Is there another way to hide that, because client have a video folder which is played by only subscribed users, therefore i want that folder is either read-only or hidden for other users.
plz help .
That is not a sensible way to accomplish what you are trying to do. You should be storing the data encrypted and decrypting it strictly in your application. You will never get any kind of 'hiding' to work right.
You can't get any kind of this, So if possible store the video in internal storage (but if device can rooted then also user can access it), or store in a web server and at a play time play from web. And only option is as per David Schwartz suggested do encryption/Decryption for it.
It's not a reasonable way to say that I have some of my apps data in an sd-card, so no one else should access that!, Better try some alternative like encrypting your data, so that even if someone accessed, they must not be able to read it!
This is simply a question of best practices.
I would like to know which is a better way to manage db backups. The first option is to use the Android Backup Service. Now this initially seemed like a great idea, but apparently isn't supported by all phones/couriers? Also, the user would have had to enable backups in the phone's settings.
The other option is to simply copy the SQLite file to the SD card and vice versa. But this would mean anyone could pretty much open and use my database without my permission. It would also mean the user would lose all data if the SD card became corrupted or the phone was lost.
Any ideas and suggestions will be greatly appreciated.
Some ideas:
export the database as CSV/XML/JSON and have add import functionality
to your app
have your own server, and allow users to backup to it (you'll need to use SSL and some form of user authentication)
compress the db file and copy it to the SD card.
As for protecting it, how sensitive is it? You could have the user enter a password when they backup, and encrypt it if you feel you need to protect is.
i'm writing an application that needs to store some data,and picture. For example place's information. this information don't need to change very often. and
I have seen that databases are
stored under /data/data/package_name/databases
I decided to store my data under /data/data/package_name/files.
With the emulator i can see all these files (databases)
under the proposed directories but moving the application on a real
device and installing a file system browser i cannot see any file
under /data. i know that there are some security constrain in (not-rooted) device. However, are there any suggestion about the solution.. where can i store these data and how? because i'm quite new to android. Thanks so much for your help.
The reason you can't see it on the device is basically just as you said; the device isn't rooted, so other apps don't have access to the /data folder.
This is okay though, because you can still store your files there. Your app has access to anything under /data/data/package_name/, you just won't be able to see it in a file browser unless you root. This is normally a good thing, to keep average users from mucking around with your databases/files.
Read up more on storage methods here.