4

The app I am working on gets all the files from the sdcard but these files are really important and the app should maintain a security issue .So is there a way that the folder or directory that contains the file may be encrypted or locked with a key and only be used by my app? Please help I am newbie and stuck at this point.

Navdroid
  • 4,453
  • 7
  • 29
  • 47
  • Maybe an idea to make the folder "invisible" (Hidden folder)? Don't know if that is good enough too? – Bigflow Feb 29 '12 at 12:59
  • Yeah that would be great do you know anything like that?? – Navdroid Feb 29 '12 at 13:03
  • To be honest no, not really, but take a look at these 2 posts: [link1](http://stackoverflow.com/questions/1294989/make-a-file-folder-hidden-on-windows-with-java) [link2](http://stackoverflow.com/questions/1999437/how-to-make-a-folder-hidden-using-java) – Bigflow Feb 29 '12 at 13:18
  • That is possible by using "." in starting of the name of folder .But there is no security for the folder – Navdroid Feb 29 '12 at 13:32
  • Well, if they use the same Folder. then it is not, but in my app, I make a new custom folder with a custom name. – Bigflow Feb 29 '12 at 14:13
  • Can you show me how u did that? Is there any way I could password protect the folder and open it only for my app – Navdroid Feb 29 '12 at 14:19

3 Answers3

3

On Android, anything stored on the SD card is not protected by permissions and can be accessed by any application that has permission to touch the SD card (and by anything/anyone that can pull the card out and read it elsewhere). Basically, you need to assume that if you put resources there, they can be accessed by anyone. So, you are correct, you want to encrypt these resources so that even with that access, no one can access them.

Android includes plenty of support for well-known cryptography. In this case, you'll want to use symmetric encryption. The current best practice here is to use AES with 256-bit keys, all of which are natively supported in the Android class libraries. There are plenty of resources on how to do this in the developer documentation online and there is a complete rundown of all the issues you need to think about, and code examples of the entire process, in Application Security for the Android Platform (disclaimer: I'm the author of this book).

You do need a key to encrypt this data, and you need to keep that key secret (anyone that knows it can decrypt the data). You have two options...(1) ask the user for a password every time they use the application and then derive the key from that password, or (2) store the password in your application. (2) is dangerous as Android applications can be readily reverse engineered, where an attacker can simply look into your application and find the key. (1) is preferred as then there is no key stored for an attacker to recover...the tradeoff is that your users need to type in a password to use your application. What you should do here is a function of the risk analysis...how important is this data? Do you need it protected in a strong manner, or are you protecting it to just make things harder for an attacker? Only you can answer that, based on your use cases and the sensitivity/risk of your data.

-1

Have a look at those resources:

http://source.android.com/tech/encryption/android_crypto_implementation.html

http://developer.android.com/reference/javax/crypto/package-summary.html

You should be aware that of course you shouldn't store the key to the encrypted data in cleartext but rather encrypt that itself with a password a user can choose or similar.

s1lence
  • 2,188
  • 2
  • 16
  • 34
-2

This is how to make a new folder:

String SaveFolder = "/Save";
        String extStorageDirectory = Environment.getExternalStorageDirectory().toString();
        File mySaveFolder = new File(extStorageDirectory + SaveFolder);
        mySaveFolder.mkdir();

Got this code in the public void onCreate Now it makes a folder with the name "Save".

Edit: I looked there is not a way to set a password or something. Though I read here http://developer.android.com/guide/topics/data/data-storage.html#filesInternal it is possible to save files in the internal memory, where users can't get acces too, but I never used that, so I can't help you with that.

Bigflow
  • 3,616
  • 5
  • 29
  • 52