I am trying to implement a secure system for iOS and Android that will transfer encrypted files from a server and decrypt on the device. The challenge I am currently trying to beat is the source code of Android app (also iOS app code decompile is possible) is decompilable. So this system was not be able to pass the penetration test.
The penetration test guys actually decompiled the whole Android app code and they managed to decrypt the files. How can I build such system that it will be secure and the files are not going to be decrypted except from the app itself?
Currently what I have is:
We encrypt bunch of files on the server in a directory. AES-256 with a passkey.
We encrypt the whole folder as a ePub file. Using aescrypt.com freeware utility. The file is an e-book.
We transfer the ePub file to the device.
We unzip the ePub file to a folder on the device. (Note that the unzipped files are still encrypted)
We override the webview's fileURLWithPath (on iOS) and before webview renders the content we give webview the decrypted content.
But as I said, the encrypted contents on the disk can be decrypted decompiling the code. Also the pass key is in the app source code as well.
How should I proceed in order to create a secure system for that process?
Thanks.
Related
I want to encrypt plain text URLs in a text file which is embedded in an Android APK. I am currently saving my URLs in as Strings in that file. With these URLs I am loading data from a MySQL database. The structure is as follows:
String url="http://faazani.com"/api
However, I want to encrypt the URL while using it. If someone extracted these URLs from the APK file, they would know where we host the API. I want to keep this a secret.
As this is a serious issue for me, I'd appreciate any help.
There's very little reason to encrypt a URL for an Android App
Anyone can decompile your app and see what you're doing to decrypt it, if they wanted, which is the least of your worries, since anyone can usually setup a debugging proxy and watch the traffic from your app go to your server and back, and see the URL.
Your web API needs to have security controls, if someone simply knowing your URL is a concern for security, you've already got problems, independent of the android app.
We have audio files which should be streamed to authenticated users. All the audios are encrypted.
Our current approach is to decrypt file download in a public web directory on the server which has the file name in a predefined format. If called using link this file is playable on any client i.e. web or mobile. But we have security challenges as this file is in public directory anyone with basic browser knowledge can get a link and play it without authentication.
Is there any secure way to stream an audio file using authentication? Any standard practice in Java REST frameworks, spring-boot, dropwizard etc?
I am developing an application to download files online, save them on internal storage, and read them once installed. Moreover, my client have requested than the files are encrypted.
Actually I have developed a working version that do the following :
Download process :
1) Download the File on internal storage
2) create a new encrypted file from the original one, and save it in the internal folder
3) Delete the original one
Opening process :
1) Create a Decrypted file from the encrypted one and save it in the internal storage
2) Open the decrypted file with the correct viewer
3) Delete the decrypted file once the user stop reading it.
Here is my question:
I am actually using activityForResult and an Intent ACTION VIEW to open the decrypted file from the internal storage.
First of All, I don't like using an ActivityForResult on an ACTION VIEW Intent because it is handled by a external app, Secondly the user keep the decrypted file if he leave the app from the viewer.
How Can I Create a temporary file from my decrypted file which will be destroy after the user finish reading it?
The downloaded files needs to be readable offline, so streaming is not an option.
EDIT: SOLUTION
The only solution is to take control of the Intent, so that the ActivityForResult can be used safely here. Therefore, the viewer must be implemented in the application. If the files are not common files, as my case, you should develop your own reader/viewer. This allows you to completely control what your application is doing and when your files will be deleted.
I'm writing a small Java application similar to TrueCrypt, it is a container with encrypted user files.
There is a problem with access to encrypted files. At the moment, I'm using this approach:
1. When connecting the container completely decrypt all files in a common folder.
2. Mount folder as a drive.
3. Watch the events in a folder decrypt files using WatchService.
4. For example, when adding a new file is encrypted, and it is stored in the container.
5. After disconnecting the container delete all encrypt files and unmount folder.
I would like to find a solution that would allow to decrypt only the files that the user wants to use, such as providing the user access only to the names of the files, and when the user wants to use to decrypt only one file.
The requirements are: to use only native system file manager, don't write own file manager, a decision should be cross-platform.
At the moment, there is an idea to implement the FTP protocol, or WebDAV and mount it as a network drive.
Is there a simple and elegant solution?
One possibility would be to encrypt each file in the container separately. Encrypt the directory separately as well. When connected, just decrypt the directory file for the user to see. Other files are decrypted/encrypted as the user opens and saves them. Use a similar process for subdirectories if any are present.
This is more complex to run than encrypting the whole container in a single large encrypted file. It will also impose a delay on individual file access due to en/decryption.
In my project a compressed file is displayed on a php in bytes.
I am trying to find a way to read the php page, decompress the file using GZIP, and write it out to the assets folder.
The file that I am reading in has to be placed in the data/data/package/database file.
I have a class that reads a file from the assets folder and places the file into data/data/package/database.
Is it possible to write to the assets folder during runtime? If not is there a better way to do this?
if the PHP script is running on a server, your Android app will need to make an HTTP request to retrieve the content. of course then it has to store it somewhere. the SQLite database is a good option, but you could also store content in files on the SD card.
there are a couple ways to do the HTTP connection part of it, and they're written up on the Android Dev Blog. Myself, I prefer the HttpURLConnection.