CODEWITHSUNDEEP
androidsecurityassets
Andrew Evtukhov
Andrew Evtukhov

Reputation: 443

How to secure assets files in Android

I need to store audio files in the application. Access to these files should be restricted. How can I safely store these files?

I tried to store in the assets folder, but when unpacking the apk, these files can be obtained.

Also I used the extension files as a zip archive, however, this file can be assigned and the files can be retrieved by the user.

Is there a way to store files so that the user can not get them?

Upvotes: 3

Views: 5990

Answers (3)

Rawnak Yazdani
Rawnak Yazdani

Reputation: 1411

I think, if you somehow encrypt the audio, users will still be able to record the system sound when your app plays the asset's decrypted audio files even without rooting the phone, because many phones have this option as default, such as: Xiaomi, Samsung. So, there is no way you can completely hide those audio files. Even users can record the speaker when your app plays the asset's audio.

Upvotes: 0

Seonghwan Cho
Seonghwan Cho

Reputation: 51

Is there a way to store files so that the user can not get them?

What commonware answered doesn't solve the problem. hackers can reverse engineer it to get url where you download the assets or else get the file data from the memory by runtime hooking or debugging.

In fact there is no solution for this, but what security experts tries to do is just make it costs a lot then the data will bring.

If your application's asset is very important then I suggests following things.

  1. Encrypt the asset file with symmetric cryptography such as AES
  2. Make key in the way hackers cannot simply identifies it. ( consider White-box Cryptography )
  3. You can use obfuscation software to confuse reverse engineer ( such as proguard, dexguard etc... )
  4. Every time you use it, decrypt it.
  5. To defend hooking and debugging, implement some debugging check, rooting check and integrity check as a security.

I know above methods are hard to implement, if the assets worth it, you should consider these approach.

Upvotes: 4

CommonsWare
CommonsWare

Reputation: 1006769

Is there a way to store files so that the user can not get them?

Download them and never write them to disk.

Or, download them and write them to internal storage (e.g., getCacheDir()), noting that users who root their devices could still get at them.

You are welcome to try encrypting the assets, then decrypting them before use. However, since the decryption algorithm and key will be in the app, people can reverse-engineer the app and learn how to decrypt the assets.

Upvotes: 2

Related Questions