On the dev site, it says if your applications are signed with the same certificate you can share data.
I would like to create a utility that I can pack with a csv file, sign and package the apk and when I run it on my device, I would like for that csv to be imported into another one of my apps database. Is it possible?
I know how to get the csv into a database but not how to get it into a different apps database...
You could put your database on the external sdcard. There is no security there.
For sharing protected files the applications must be signed with the same cert and have matching android:sharedUserId in their AndroidManifest.xml files.
Your utility app could try opening the other apps database with an absolute pathname. I'm not sure what would happen with transaction management if both apps are modifying the db at the same time.
A better design is to have one application only own and access the database. Implement an "IMPORT" intent handler on the app that owns the database. Your utility application can send an Intent, specifying the csv filename in the intent extraData. Or you could just put the data on the Intent's extraData (if it's large then send an Intent for each record).
The standard way is to implement a ContentProvider. Use permissions to control access.
http://developer.android.com/guide/topics/providers/content-provider-basics.html
http://developer.android.com/reference/android/content/ContentProvider.html
Related
I have a problem. I am using xyz.db file and which is stored in asset folder. I am copying all data from xyz.db to application db which is stored in data/data/com.xyz/abc.sqlite in storage folder. Now I want to secure asset's xyz.db file. Because It can be easily extract from apk by reverse engineering. Please help me to secure my asset folder's database file.
You can perform the following to make it relatively difficult to access data in DB.
Password protected zip file to contain db which at runtime should be extracted.
Encrypt the file with symmetric key and again at runtime decrypt it.
Utilize sqlcipher that performs encryption for Data at Rest.
In both the above cases you will need to worry about storing the password or key. There is no sure shot way to protect the file but the above would require more effort and should be added as basic protection.
There's no final solution to your problem.
Any technique you'll use can be beaten by a determined skilled attacker.
You have to accept that if you want to store database xyz.sql in your apk file and you later want your app to use it, then it will be also possible for someone that reverse your app to retrieve it. Basically just because the plain text information at a certain moment will be available on the phone.
Hope i've been clean enough
Keep security in mind
As usual in Android the access rights of the database file determine who can use your database. If you follow the standard way presented in the following posts of this series, your database file will be located within the private directory of your app. This means that your app owns the database file and no one else can access it. Even using the other less common ways to create the database you can only grant access to the file. Thus others can access all of your database or nothing. There is no middle ground.
Still: You should never rely on data being safe from prying eyes in the database. Any sensitive data should be encrypted. Very sensitive data should not be stored on the device at all. Keep in mind that if the device gets lost, any misbehaving finder of the device can gain access to the database file as well as to your app. On a rooted device all files can be read. Apps like SQLite Editor make it easy to read even sensitive data – if they are not encrypted:
In cases where data privacy is of utmost importance, you have to revert to secured services or force the user to enter a secret every time before encrypting and storing the data or reading and decrypting them respectively.
source
I am thinking regarding the future options of my app and I am thinking of the idea of backing-up the data from the application's Database and also sharing that data with another phone, say via e-mail, messaging, Bluetooth, you name it, but basically saving it as a file and opening it from the other phone and having the same values on both phones.
What would be the best approach for such an Android application?
Would Content Providers accomplish exactly this or are they concerned with sharing data only between different Apps? Thanks!
I believe it is possible ,
If you read the documentation about the internal storage here, It mentions
You can save files directly on the device's internal storage. By default, files saved to the internal storage are private to your application and other applications cannot access them
So i believe you can copy the whole sqlite DB file to some temp location then share that file via BT or email or any other sharing option .
But DO NOTE, that the same application package can only access the file if you want perhaps another application to use the db then u need to set the SharedUserId , as mentioned here
Content Providers are generally only for sharing your app's data to other apps.
Content providers are the standard interface that connects data in one process with code running in another process.
I want to know how safe it is to pack the database with the application in android. Can the database be easily accessed by the users? As the database that I have will have data which I dont want to be hacked by users for misuse, what is the best way to protect the database in mobile apps?
Also my application would use web service(contacting my own website) e.g. http:\www.mysite.com/services/xxx
My site will in turn return some data to the mobile app. If someone decompiles the java code(in apk), he will easily get access to the URL i am using for web service. How can i protect my data on website to be attacked by malicious users. If anyone gets to know the URL, he can simply type that URL in browser and get all data in json format which i dont want as that data can be quite sensitive. Even if I keep it encoded, then the user can get to know the encoding from the java code(which he gets after decompiling apk).
How to keep my DB safe from being misused?
If my application is to show the local places like restaurants, bars etc on mobile should i always fetch them from the website using web service or provide a local database with these details so that information can be fetched quickly. In this case , I can provide a UPDATE web servcie which will update the local database. But security of local DB is of great concern to me.
Can anyone please suggest where to keep the DB and how to safeguard it?
Rgds,
Sapan
Local databases and your apk file can be read by any rooted device easily. This tool can even decompile your resources as explained in this youtube tutorial (I never tried that myself actually).
So you would have to store your data encrypted in your database and decrypt it form your application code to be sure that noone can access it by simply getting the database form the data directory of his device.
You shouldn't put your sensitive data (like passwords etc) in the resource folder, because it can be decompiled, put it in your code.
Now some words to your JSON API. Hiding the URL is not enough, since the user can track your requests easily by a sniffer and get that anyway. You should provide a authentication mechanism to protect unauthorized access and also protect your communication by SSL. (E.g. using HTTP authentication - makes only sense when your server provides SSL.)
This are the things you should think about and decide yourself how sensitive your data actually is.
As far as I understand you're going to:
Pack initial DB in your APK file (say with res/asset folder)
During first run explode DB file from res/asset to application data folder
Then from to time fetch data into DB from website/webservice
In this case there are basically 2 vulnerabilities (stored data I mean):
Initial DB image, since it's packed with APK (which is in real life just ZIP archive), so anyone can unpack and see what's packed in your DB
DB file stored in application data folder (usually /data/data/MY_APPLICATION_PACKAGE/databases). This folder is accessible on rooted device, so again your data can easily be screened
The only option to be secured is to encrypt your database content. Easiest way to do it to store sensitive data in BLOBs (in form of XML of JSON) and encrypt/decrypt those BLOBs after/before actual usage of certain records.
Myself personally did it in my app - and it works well.
check this links for protecting your apk file for decompile
How to make apk Secure. Protecting from Decompile
Protecting Android apk to prevent decompilation, network sniffing etc
decompiling DEX into Java sourcecode
I have a requirement to attach a Zip file to a message in the Android email composer.
The Zip file is being created by my application and stored in the app's private storage area (accessible via getFilesDirectory()).
I am obtaining the URI to this Zip file and appending it to an email intent object; when I launch the email activity I am able see the attachment but my email recipient is not receiving the files,
After doing some research on this, I found that my application data cannot be shared with other app's (in this case the Android Email app).
To solve this problem I would like to implement the recommend solution of using a content provider to share my application data.
First of all, I would like to confirm if this is possible, and if it is could anyone please give me some hints on how to go about doing this. I need to know how to copy my Zip file from the getFilesDirectory() of my application, to the content provider, and also how to attach the content provider URI to the email intent object.
I can't place my zip files into an SD card...
I just want only to store my files in to my device internal storage and attach to the email composer.
By default, a ContentProvider can be accessed by any application on the device. If you are willing for these files to be accessed by any application on the device, create a ContentProvider, with real implementations for getType() and openFile(). Then, the content:// URL should work with the Email app, AFAIK.
Here is a sample project demonstrating a ContentProvider serving up files from local storage, in this case to a WebView.
If all you want is to avoid storage on the external SD card, then you don't need a ContentProvider. You can live with
openFileOutput("yourzipfile.zip", MODE_WORLD_READABLE)
and pass
putExtra(Intent.EXTRA_STREAM, Uri.fromFile(getFileStreamPath("yourzipfile.zip))
along with your ACTION_SEND Intent.
However, the email program will probably set no Content-type.
Also, there's no reliable way to tell when the email app doesn't need your file anymore. This means that you either risk ending up with many files or sending a newer content as the attachment of an older email.
Another issue with this solution is that everyone can read your zip file. This problem would not occur with a ContentProvider solution, where you can grant access permission on a per-Intent basis, i.e. allowing access to one file only for one email Intent.
Matching of the Uri is then done via the URI, which may start with your package name, such as
content://com.yourdomain.yourapp.yourproviderclass/some/path
You may want to look at http://developer.android.com/guide/topics/manifest/provider-element.html
I have a lite version of an application that uses a SQLite database. I want to copy that database over to the full version of the application when the user installs the full version.
I have written some code to perform the file copy, but the lite database file always comes up as unreadable. The file is there and I can point to it, but I can't read it to perform the copy.
In the Android documentation, we read:
You can save files directly on the
device's internal storage. By default,
files saved to the internal storage
are private to your application and
other applications cannot access them
(nor can the user).
Note the words, "by default".
Is there a way that I can override that default and make the SQLite file readable by my other application?
Thank you.
I believe you have 2 options.
Set the sql database to be world readable on creation. You can do this by setting the appropriate mode parameter in the call to openFileOutput() or openOrCreateDatabase().
Set the sharedUserId attribute in the manifest of both of your applications so that they have the same user ID. This treats both applications as the same user, giving both applications access to the same private set of files.