Securing media files in the mobile

Question

I am thinking about developing a birds catalog for Android. It will contain many pictures and audio files. All those files come from a third party company with copyrights.

Answer 1

Similar problem I have resolved using SQLite BLOBs. You can try application in AndroidMarket

Actually I'm saving media files to series of BLOBs. SQLite supports BLOB size up to 2 gigs, but due to Android limitations I was forced to chunk files to 4 meg BLOBs.

The rest is easy.

Answer 2

I suggest saving these files to the SD card, not to the private file of your Activity, as images/audio files are usually quite big (I have seen in this discussion that you are planning to handle 400 MB, is this the same app?). So crypting should be fine, and more straightforward than SQLite.

The class below allows encrypting bytes to binary files:

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.SecureRandom;

import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;


public class AESEncrypter {
    public static void encryptToBinaryFile(String password, byte[] bytes, File file) throws EncrypterException {
        try {
            final byte[] rawKey = getRawKey(password.getBytes());
            final FileOutputStream ostream = new FileOutputStream(file, false);

            ostream.write(encrypt(rawKey, bytes));
            ostream.flush();
            ostream.close();

        } catch (IOException e) {
            throw new EncrypterException(e);
        }
    }

public static byte[] decryptFromBinaryFile(String password, File file) throws EncrypterException {
    try {
        final byte[] rawKey = getRawKey(password.getBytes());
        final FileInputStream istream = new FileInputStream(file);
        final byte[] buffer = new byte[(int)file.length()];

        istream.read(buffer);

        return decrypt(rawKey, buffer);

    } catch (IOException e) {
        throw new EncrypterException(e);
    }
}

private static byte[] getRawKey(byte[] seed) throws EncrypterException {
    try {
        final KeyGenerator kgen = KeyGenerator.getInstance("AES");
        final SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");

        sr.setSeed(seed);
        kgen.init(128, sr); // 192 and 256 bits may not be available

        final SecretKey skey = kgen.generateKey();

        return skey.getEncoded();

    } catch (Exception e) {
        throw new EncrypterException(e);
    }
}

private static byte[] encrypt(byte[] raw, byte[] clear) throws EncrypterException {
    try {
        final SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");
        final Cipher cipher = Cipher.getInstance("AES");
        cipher.init(Cipher.ENCRYPT_MODE, skeySpec);

        return cipher.doFinal(clear);

    } catch (Exception e) {
        throw new EncrypterException(e);
    }
}

private static byte[] decrypt(byte[] raw, byte[] encrypted) throws EncrypterException {
    SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");
    try {
        final Cipher cipher = Cipher.getInstance("AES");
        cipher.init(Cipher.DECRYPT_MODE, skeySpec);

        return cipher.doFinal(encrypted);

    } catch (Exception e) {
        throw new EncrypterException(e);
    }
}

}

You will also need this Exception class:

public class EncrypterException extends Exception {
    public EncrypterException (           ) { super(   ); }
    public EncrypterException (String str ) { super(str); }
    public EncrypterException (Throwable e) { super(e);   }
}

Then, you just have to use what follows to generate encrypted files:

encryptToBinaryFile("password", bytesToSaveEncrypted, encryptedFileToSaveTo);

And in your app, you can read them the following way:

byte [] clearData = decryptFromBinaryFiles("password", encryptedFileToReadFrom);

To use an hardcoded password can be hacked by digging into the obfuscated code and looking for strings. I don't know whether this would be a sufficient security level in your case?

If not, you can store the password in your Activity's private preferences or using tricks such as this.class.getDeclaredMethods()[n].getName() as a password. This is more difficult to find.

About performances, you have to know that crypting / decrypting can take quite a long time. This requires some testing.

[EDIT: 04-25-2014] There was a big mistake in my answer. This implementation is seeding SecureRandom, which is bad ('evil', some would say).

There is an easy way to circumvent this issue. It is explained in details here in the Android Developers blog. Sorry about that.