0

I'm making an Android app that generates an Excel file using JExcelApi. The content of the fiel is also available as plain text but it's not stored anywhere (I'm using it for displaying it on a TextView; the content isn't too complex).

To simplify things I store the Excel file on the SD card root directory. I know it's not good practice, but this app is not meant for wide distribution and it's only used for internal purposes in my company, so I'm not too worried about it. When the app generates the file, you can either press a "send XLS" button on the main view which will create a SEND_ACTION intent so you can send the file through email, Dropbox or whatever, or you can just simply plug the phone to a computer, mount it as USB storage and get the file.

However, soon we're going to need to send the app to some of our clients and some changes need to be done. We don't want our clients to access the XLS file, so I need to protect it somehow. Unfortunately, JExcelApi does not support password protected files, so I need to find an alternative way to protect it.

Regarding the "send" button: I was thinking about adding a simple password dialog, so that the user needs to type in a hard-coded password first before the intent is sent. I still haven't taken a look at this, though.

What worries me the most is the XLS file. Ideally, it should still be available on the SD card's root folder, but I realize that this may make things much harder than necessary. Using the app's private storage would be option because the file would be "invisible", but this can be easily beaten by using a rooted phone. I've taken a look around the Cipher class but I'm not sure how I could apply it to my case: the JExcelApi manages the opening and saving of files by itself and I can't use CipherOutputStream to save the file; I also need to be able to decrypt the file on a PC.

What should I do? Is there any way to encrypt the file in Android in a way that would make it possible to decrypt it on a PC? Should I find some other Excel APIs that support password protection (are there even any)?

About the security requirements: the content of the report is not critical and it wouldn't be a big deal if our clients got access to it (I mean, the content itself is displayed on screen!), but I'd like to make it annoying enough that our clients would cease to insist accessing the XLS file, if they ever tried to.

TL;DR: how do I encrypt any kind of file in Android?

ziritrion
  • 319
  • 2
  • 8
  • 17
  • You send data to your clients, but don't want the clients to access it. Do you mean something like read-only? Could you be more detailed on the purpose of sending data to clients? Maybe there are other solutions for a same problem. – SheIs_LeThiCongNhan Aug 07 '12 at 11:50
  • The data is displayed on screen, as well as collected into an XLS file. The XLS file is for internal use only; the clients are only supposed to look at the info shown on screen. – ziritrion Aug 07 '12 at 11:52
  • Thanks I got it. As my opinion, you can design your app to display the data (on its controls, views…). By this way you need to convert XLS format to the new one, for example XML/ JSON. However you will also need encryption/ decryption methods. I'm not good at those, but I once [searched](http://www.google.com/search?q=encyprtion+java) and found out many sample projects, e.g. [here](http://www.mkyong.com/java/jce-encryption-data-encryption-standard-des-tutorial/), or [this one](http://meri-stuff.blogspot.com/2012/04/secure-encryption-in-java.html)… – SheIs_LeThiCongNhan Aug 07 '12 at 12:00

1 Answers1

0

I'm not very familiar with encryption on Android, but there's the Bouncycastle library that can be used for encrytion on Android. There might be some pitfalls, but apparently you can also use Android's own Cipher class for en-/decrypting using different algorithms.

If you want to share the encrypted data you'll have to have a shared key in order to let the recipient decrypt it.

Ben Weiss
  • 17,182
  • 6
  • 67
  • 87
  • The bouncycastle library api is not supported on Android, it just happens that bits and pieces of it are present "under the hood". The supported APIs are the ones documented on developer.android.com such as the Cipher class you mentioned. *If* you need to use the Bouncycastle lightweight API on Android then you should use the spongycastle build of it. – President James K. Polk Aug 07 '12 at 21:32