I am asking the same question as here:
For android.
Are there equivalent concepts in android to what is presented here:
My particular requirement is to protect files from rooted devices and also make them available only through application and for a certain lifetime.
Thanks
My particular requirement is to protect files from rooted devices
By definition, that is impossible.
First, anyone who has a rooted device has access to every file, anywhere in the device itself.
Second, encryption only helps the user protect their data from third parties. You, on the other hand, are trying to attack the user by preventing them from accessing their data. The only way you can try to do that via encryption is for you to be the only one with the decryption key, and since that decryption key has to be on the device for the device to be able to decrypt the file, any user who wishes to can rummage through your app, find the key, and decrypt the files themselves. The notion of encrypting files this way is called DRM, and there are two types of DRM: the ones that have been cracked and the ones that nobody has bothered trying to crack yet.
If you do not want the user to access this data, do not put it on their device.
Looking through Mighter's answers and given your concern over rooted phones it looks like its been discussed here.
http://source.android.com/tech/encryption/android_crypto_implementation.html
(a sub link i found somewhere in here http://source.android.com/tech/security/index.html)
Originally i was thinking you could use the ContentProvider and store your data in a database, i believe that can be protected, or you could at least encrypt the data within it. I wasn't sure that would answer your issue however. The android crypto implementation link i hope will cover your requirements. Though might be impractical due to version requirements.
Two notes:
Generally speaking your application could be only as secure as the operating system. In case the device is rooted, the operating system isn't secure anymore. So your application can't be secure either. For example there could be tweaks of operation system which will:
Second note is that at some point you will need to provide your data (files) in clear (not encrypted) to 3rd party applications. As soon as you did this, they can copy it, send it to some server and you can't do anything about it. So, even if you provide access to these files for a limited time, they still can "leak".
That said, your simplest approach (as Emile pointed out) would be to use a ContentProvider, encrypt data within it and decrypt data when it's delivered to 3rd party apps.
An approach with higher complexity would be to use DRM (http://developer.android.com/reference/android/drm/package-summary.html) in case 3rd party apps support it.
Android utilizes Unix permissions to protect app sandbox. Each app runs under unique user and only that user has permissions to operate on /data/data/your.package.name folder. However, if target device is rooted, your app data can be compromised.
Some links:
http://source.android.com/tech/security/index.html
http://www.amazon.co.uk/dp/1430240628
http://developer.android.com/guide/topics/security/permissions.html
There is nothing safe about putting any kind of data onto an android device. They are ment to be open devices. If you are looking to protect your data again rooted users, then you would have to use a form of encryption. And depending on the sensitivity of the item, that may not even work (unless you use a real high end encryption which will then drain on performance). Dont trust Android with sensitive information is the only thing I can say.
