Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
194 views
in Technique[技术] by (71.8m points)

android - Securing media files in the mobile

I am thinking about developing a birds catalog for Android. It will contain many pictures and audio files. All those files come from a third party company with copyrights.

My application should assure (as much as possible) that those media files are not accessible, copied or manipulated.

Which strategies could I follow? Crypt files in file system and decrypt in memory before showing or playing them? Keep them into SQL Lite as CLOBs? Is this SQL Lite accessible from other apps or is it hidden for the rest of apps? Any other ideas? I haven't found too much info about this "issue" on the web.

Thanks in advance,

Chemi.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

I suggest saving these files to the SD card, not to the private file of your Activity, as images/audio files are usually quite big (I have seen in this discussion that you are planning to handle 400 MB, is this the same app?). So crypting should be fine, and more straightforward than SQLite.

The class below allows encrypting bytes to binary files:

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.SecureRandom;

import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;


public class AESEncrypter {
    public static void encryptToBinaryFile(String password, byte[] bytes, File file) throws EncrypterException {
        try {
            final byte[] rawKey = getRawKey(password.getBytes());
            final FileOutputStream ostream = new FileOutputStream(file, false);

            ostream.write(encrypt(rawKey, bytes));
            ostream.flush();
            ostream.close();

        } catch (IOException e) {
            throw new EncrypterException(e);
        }
    }

public static byte[] decryptFromBinaryFile(String password, File file) throws EncrypterException {
    try {
        final byte[] rawKey = getRawKey(password.getBytes());
        final FileInputStream istream = new FileInputStream(file);
        final byte[] buffer = new byte[(int)file.length()];

        istream.read(buffer);

        return decrypt(rawKey, buffer);

    } catch (IOException e) {
        throw new EncrypterException(e);
    }
}

private static byte[] getRawKey(byte[] seed) throws EncrypterException {
    try {
        final KeyGenerator kgen = KeyGenerator.getInstance("AES");
        final SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");

        sr.setSeed(seed);
        kgen.init(128, sr); // 192 and 256 bits may not be available

        final SecretKey skey = kgen.generateKey();

        return skey.getEncoded();

    } catch (Exception e) {
        throw new EncrypterException(e);
    }
}

private static byte[] encrypt(byte[] raw, byte[] clear) throws EncrypterException {
    try {
        final SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");
        final Cipher cipher = Cipher.getInstance("AES");
        cipher.init(Cipher.ENCRYPT_MODE, skeySpec);

        return cipher.doFinal(clear);

    } catch (Exception e) {
        throw new EncrypterException(e);
    }
}

private static byte[] decrypt(byte[] raw, byte[] encrypted) throws EncrypterException {
    SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");
    try {
        final Cipher cipher = Cipher.getInstance("AES");
        cipher.init(Cipher.DECRYPT_MODE, skeySpec);

        return cipher.doFinal(encrypted);

    } catch (Exception e) {
        throw new EncrypterException(e);
    }
}

}

You will also need this Exception class:

public class EncrypterException extends Exception {
    public EncrypterException (           ) { super(   ); }
    public EncrypterException (String str ) { super(str); }
    public EncrypterException (Throwable e) { super(e);   }
}

Then, you just have to use what follows to generate encrypted files:

encryptToBinaryFile("password", bytesToSaveEncrypted, encryptedFileToSaveTo);

And in your app, you can read them the following way:

byte [] clearData = decryptFromBinaryFiles("password", encryptedFileToReadFrom);

To use an hardcoded password can be hacked by digging into the obfuscated code and looking for strings. I don't know whether this would be a sufficient security level in your case?

If not, you can store the password in your Activity's private preferences or using tricks such as this.class.getDeclaredMethods()[n].getName() as a password. This is more difficult to find.

About performances, you have to know that crypting / decrypting can take quite a long time. This requires some testing.

[EDIT: 04-25-2014] There was a big mistake in my answer. This implementation is seeding SecureRandom, which is bad ('evil', some would say).

There is an easy way to circumvent this issue. It is explained in details here in the Android Developers blog. Sorry about that.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...