0

I'd like to ship encrypted data in /res/raw but I don't know how to do it so that the app can decrypt.

I know I want to:

1) encrypt the file on my dev station

2) locate it in /res/raw

3) have the app read the encrypted file and decrypt it to use the data within.

I was able to find this blog post http://android-developers.blogspot.com/2013/02/using-cryptography-to-store-credentials.html but it really just says "what you're doing is wrong".

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
Someone Somewhere
  • 23,475
  • 11
  • 118
  • 166
  • You managed 1) and 2) already i suppose. You should exactly tell which problems you have with 3) as all is very doable. – greenapps Mar 09 '15 at 20:34
  • This is of course do-able, it is just not very *effective* as if the apk can decrypt the data, then someone studying the apk or installing it on an intentionally compromised device can also decrypt it or obtain it after you have done so. Ideally such mechanisms prevent third parties from stealing your user's data - what they *do not* do is prevent your users from obtaining data available to their own installed instance of your app, regardless if it that data is theoretically yours or theirs. – Chris Stratton Mar 09 '15 at 20:34
  • If you have the data and key on the app, encrypting will only make it a tiny bit more difficult for someone to decrypt the data. Some high end android phones have a security module to perform encryption. An alternative with these mobiles is to download the data when the app starts for the first time and use the secure module to create a key and encrypt the data with the new key. The benefit of this approach is that the encryption key never leaves the secure module of the mobile. – Augusto Mar 09 '15 at 20:37
  • Check this one: http://stackoverflow.com/questions/15912825/how-to-read-file-from-res-raw-by-name to read files from `res` folder. Rest depends on your encryption algorithm but I'm sure you'll find examples for almost all common encryption algorithms quickly. – Trinimon Mar 09 '15 at 20:44
  • yeah the problem is specifically with the key... it seems that the key must always be supplied in the app - what I wanted to do is store the key in the keystore, created when the app is signed, however, it seems that the Keystore API isn't available to devices with API level lower than 18. http://developer.android.com/training/articles/keystore.html keeps saying "introduced in Android 4.3" – Someone Somewhere Mar 09 '15 at 20:48

0 Answers0