Secure image storage Android

Question

I am developing an application for Android 2.2 that lets the user purchase and download images from web server.Once he downloads these images, only this application should be able to view these images. One of the possible way I could think of was to encrypt and save the images in the SD card.

But,my concern is that, even after encryption, these files will be visible for file explorer applications(which can delete/rename/move the files). Is it possible to store these files in SD card in such a way that, it is not visible to other applications?

There is a forward locking functionality in BlackBerry(http://www.blackberry.com/developers/docs/4.5.0api/net/rim/device/api/io/file/ExtendedFileConnection.html).Once the file is saved onto sd card using this method, it will be visible only to the corresponding application and device.Is there something like that for android?

Will it be advisable to store the images in sqlite database.The database file is not visible to other apps in the phone.(PS: There will be large number of images)

Is it possible to save the image files as .asec files. Is there any api that convert a file to .asec format?I understand .asec files won't be shown by File explorers.

Please could you direct me or suggest an ideal solution for this scenario.

Answer 1

There is a solution to store the data on the SD-Card in a way that makes it impossible to see the files in an on device file viewer on a non rooted phone.

The solution is to save the data in your apps data folder and activate the automatic location choosing for your app in the manifest. This lets the user choose where to save the app external or internal and all the images are inside the private folder that is owned by the app.

There is only one drawback. The user can delete all files through the app manager. She will be warned that this will may break the app but if there is no way to redownload images the user will loose all purchased items if the app gets deleted or the user decides it would be a good thing to delete the app data.

On a rooted phone however the images can be copied away from the private folder. Therefore you should think about encrypting the image in some way. Encrypting however is not that easy because the user can always try to extract the encryption key from your sourcecode or network traffic.

Answer 2

As an app developer you are a guest on a user's device. The user has more control over the device than you will ever have. There is no place to hide a secret key necessary for encryption. You are forced to play nice, perhaps you are looking for "(in)security though obscurity".

Answer 3

You can store files in the database unless there are limits on the DB size.

Or you can store images in one container (eg. our SolFS virtual file system) and extract them from that container. The user will still be able to copy container away. One of options here is to encrypt the container using some device ID (IMEI code for example) as part of the encryption key.

If the phone is rooted, the user can do virtually anything so as Rook pointed, obscurity becomes an important part of the equation.

And yet another option is to create custom file format for your images, so that only your application is able to load the image data. Again, you can encrypt such files using device's ID to "bind" the image to the device.

Note, that nowadays intellectual property (including images) is licensed to the user, not to device. Or at least the user has rights to move the IP between several of his systems (say no more than 3 devices). You can handle this as well by encrypting the image with random key, then encrypting the random key using IMEI+salt for each device (so you will have the random key encrypted say 3 times). Then the user can move the file between his systems. Of course, this is not the only way to let the user move files between his devices.

Answer 4

You could wrap the pictures into a file where its encrypted and useless to other programs then in your app you de-crypt the image file and display it. Other technique would to insert a watermark when stored on SD then remove water mark when displaying in program.

Answer 5

You could encrypt the image files and then save them in SDCard. This does not prevent the user to locate/copy/delete the file. You could use the File class and use File.setReadOnly() but I think it requires root access. In any case the user will have the same permissions as your app.

The most secure way is to create a full online viewer.