Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
192 views
in Technique[技术] by (71.8m points)

android - Securing media files in the mobile

I am thinking about developing a birds catalog for Android. It will contain many pictures and audio files. All those files come from a third party company with copyrights.

My application should assure (as much as possible) that those media files are not accessible, copied or manipulated.

Which strategies could I follow? Crypt files in file system and decrypt in memory before showing or playing them? Keep them into SQL Lite as CLOBs? Is this SQL Lite accessible from other apps or is it hidden for the rest of apps? Any other ideas? I haven't found too much info about this "issue" on the web.

Thanks in advance,

Chemi.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

I suggest saving these files to the SD card, not to the private file of your Activity, as images/audio files are usually quite big (I have seen in this discussion that you are planning to handle 400 MB, is this the same app?). So crypting should be fine, and more straightforward than SQLite.

The class below allows encrypting bytes to binary files:

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.SecureRandom;

import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;


public class AESEncrypter {
    public static void encryptToBinaryFile(String password, byte[] bytes, File file) throws EncrypterException {
        try {
            final byte[] rawKey = getRawKey(password.getBytes());
            final FileOutputStream ostream = new FileOutputStream(file, false);

            ostream.write(encrypt(rawKey, bytes));
            ostream.flush();
            ostream.close();

        } catch (IOException e) {
            throw new EncrypterException(e);
        }
    }

public static byte[] decryptFromBinaryFile(String password, File file) throws EncrypterException {
    try {
        final byte[] rawKey = getRawKey(password.getBytes());
        final FileInputStream istream = new FileInputStream(file);
        final byte[] buffer = new byte[(int)file.length()];

        istream.read(buffer);

        return decrypt(rawKey, buffer);

    } catch (IOException e) {
        throw new EncrypterException(e);
    }
}

private static byte[] getRawKey(byte[] seed) throws EncrypterException {
    try {
        final KeyGenerator kgen = KeyGenerator.getInstance("AES");
        final SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");

        sr.setSeed(seed);
        kgen.init(128, sr); // 192 and 256 bits may not be available

        final SecretKey skey = kgen.generateKey();

        return skey.getEncoded();

    } catch (Exception e) {
        throw new EncrypterException(e);
    }
}

private static byte[] encrypt(byte[] raw, byte[] clear) throws EncrypterException {
    try {
        final SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");
        final Cipher cipher = Cipher.getInstance("AES");
        cipher.init(Cipher.ENCRYPT_MODE, skeySpec);

        return cipher.doFinal(clear);

    } catch (Exception e) {
        throw new EncrypterException(e);
    }
}

private static byte[] decrypt(byte[] raw, byte[] encrypted) throws EncrypterException {
    SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");
    try {
        final Cipher cipher = Cipher.getInstance("AES");
        cipher.init(Cipher.DECRYPT_MODE, skeySpec);

        return cipher.doFinal(encrypted);

    } catch (Exception e) {
        throw new EncrypterException(e);
    }
}

}

You will also need this Exception class:

public class EncrypterException extends Exception {
    public EncrypterException (           ) { super(   ); }
    public EncrypterException (String str ) { super(str); }
    public EncrypterException (Throwable e) { super(e);   }
}

Then, you just have to use what follows to generate encrypted files:

encryptToBinaryFile("password", bytesToSaveEncrypted, encryptedFileToSaveTo);

And in your app, you can read them the following way:

byte [] clearData = decryptFromBinaryFiles("password", encryptedFileToReadFrom);

To use an hardcoded password can be hacked by digging into the obfuscated code and looking for strings. I don't know whether this would be a sufficient security level in your case?

If not, you can store the password in your Activity's private preferences or using tricks such as this.class.getDeclaredMethods()[n].getName() as a password. This is more difficult to find.

About performances, you have to know that crypting / decrypting can take quite a long time. This requires some testing.

[EDIT: 04-25-2014] There was a big mistake in my answer. This implementation is seeding SecureRandom, which is bad ('evil', some would say).

There is an easy way to circumvent this issue. It is explained in details here in the Android Developers blog. Sorry about that.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...