I am asking the same question as here: Secure contents in Documents directory For android. Are there equivalent concepts in android to what is presented here: Protecting the app sandbox My particular requirement is to protect files from rooted devices and also make them available only through application and for a certain lifetime. Thanks

Second, encryption only helps the user protect their data from third parties. You, on the other hand, are trying to attack the user by preventing them from accessing their data. The only way you can try to do that via encryption is for you to be the only one with the decryption key, and since that decryption key has to be on the device for the device to be able to decrypt the file, any user who wishes to can rummage through your app, find the key, and decrypt the files themselves. The notion of encrypting files this way is called DRM, and there are two types of DRM: the ones that have been cracked and the ones that nobody has bothered trying to crack yet.

If you do not want the user to access this data, do not put it on their device.

Upvotes: 3

Victor Ronin

Reputation: 23268

Two notes:

Generally speaking your application could be only as secure as the operating system. In case the device is rooted, the operating system isn't secure anymore. So your application can't be secure either. For example there could be tweaks of operation system which will:

log keyboard input
subvert any calls (including calls to crypto API)
log any information which comes through HTTP(S).

Second note is that at some point you will need to provide your data (files) in clear (not encrypted) to 3rd party applications. As soon as you did this, they can copy it, send it to some server and you can't do anything about it. So, even if you provide access to these files for a limited time, they still can "leak".

That said, your simplest approach (as Emile pointed out) would be to use a ContentProvider, encrypt data within it and decrypt data when it's delivered to 3rd party apps.

An approach with higher complexity would be to use DRM (http://developer.android.com/reference/android/drm/package-summary.html) in case 3rd party apps support it.

Upvotes: 1

Shaun

Reputation: 5531

There is nothing safe about putting any kind of data onto an android device. They are ment to be open devices. If you are looking to protect your data again rooted users, then you would have to use a form of encryption. And depending on the sensitivity of the item, that may not even work (unless you use a real high end encryption which will then drain on performance). Dont trust Android with sensitive information is the only thing I can say.

Upvotes: 0

Emile

Reputation: 11721

Looking through Mighter's answers and given your concern over rooted phones it looks like its been discussed here.

http://source.android.com/tech/encryption/android_crypto_implementation.html

(a sub link i found somewhere in here http://source.android.com/tech/security/index.html)

Originally i was thinking you could use the ContentProvider and store your data in a database, i believe that can be protected, or you could at least encrypt the data within it. I wasn't sure that would answer your issue however. The android crypto implementation link i hope will cover your requirements. Though might be impractical due to version requirements.

Upvotes: 1

user468311

Reputation:

Android utilizes Unix permissions to protect app sandbox. Each app runs under unique user and only that user has permissions to operate on /data/data/your.package.name folder. However, if target device is rooted, your app data can be compromised.

Some links:

http://source.android.com/tech/security/index.html

http://www.amazon.co.uk/dp/1430240628

http://developer.android.com/guide/topics/security/permissions.html

Upvotes: 0

Android how to secure contents in document directory

Answers (5)

Related Questions