0

The apps we write will soon be enhanced by downloadable "packages" using the in-app purchase API. We would like therefore to start securing our content which we wish to allow the users to download/extract onto their memory card (so as to not use up internal memory for our large applications), however, we need to secure the files somehow so that they can't simply be taken from the SD.

Can anyone suggest some possible/simple/common techniques used to do so on Android?

ale
  • 6,369
  • 7
  • 55
  • 65
Hamid
  • 4,410
  • 10
  • 43
  • 72

2 Answers2

1

You'll want to look into ProGuard, it's pretty well integrated with ADT. An easy way to get a good ProGuard config file is to create a new Android project in Eclipse, as the newer versions of ADT automatically make one for you. It is used when you right click the project and use Android Tools>Export

jakebasile
  • 8,084
  • 3
  • 28
  • 34
  • My understanding is that ProGuard will obfuscate code, but not other kinds of data. – Ori Mar 07 '11 at 02:06
  • 1
    @Ori right well, there is no way to protect other kinds of data. Any secret packaged with the apk can be obtained with a debugger. – rook Mar 07 '11 at 02:12
  • Thank you, however, tis is not exactly what I asked for. It is our non-code resources we wish to protect. – Hamid Mar 07 '11 at 08:28
0

I'd think you'd probably want to generate a hash based on some unique device identifier and a strong key of your choosing. A unique identifier for the device can be generated using the technique discussed in this answer. Have the App transmit that hash to your server, and encrypt the package before (or as) it is sent to the user using this hash as a key. Your app will decrypt the data as it is read by generating the key on demand (the same way it was initially generated). Have a look at the MessageDigest class and the javax.crypto package in the API.

Community
  • 1
  • 1
Ori
  • 4,132
  • 1
  • 25
  • 27