How to hide/block stored files from web browsing but accessible from app?

Question

I'm working on an application which uploads and downloads pictures/videos on server to be shared between users (user sends a picture to his friends and then they will appear on their own activity feed).

The problem I am dealing with is that all these pictures are stored into web server, that means they are visible when I browse my server via web browser and that leads to privacy / security problem because anyone who types the correct path (i.e "myserver.com/android/pictures/pic_001.jpg) can see the picture.

So, I'm wondering if it is possible to hide/block all those files from web browsing, but make them still available through the android application ?

Answer 1

You can create a web service then instead of exposing folders containing pictures, you can expose web service, and using (de)serialization you can have them in your app while pics arent directly available from web server.

Answer 2

Yes and no. The files must reside somewhere, however you could setup an htaccess rule for the directory (assuming apache) that states that the user agent must match whatever your Android client is sending when it makes the request (if unsure, why not set a custom user agent for the Android request?)

This will only work as long as the users aren't sophisticated enough to know the path to the image. The only other option is to stream the image when an API key/some authentication parameter is met (reading the file into PHP and outputting the proper header and file contents to the browser). Though this is not ideal, it would work (albeit very expensive on your PHP processor)