I created a flutter app with a pdf file stored locally, and I want to secure it from reverse engineering, where when someone downloads the app from google play and wants to view the content of that app they can't do that? note :the app just for android users.
CodePudding user response:
I am assuming that your app has to access that PDF at some point or otherwhise it should not be your in project folder.
Even with all security mechanism that Android has in place there is no way to ensure that. The user has full access to his device. You could encrypt the PDF and only store the encrypted content on the phone but then you have to store the key somewhere else. In native android there is something called the Android keystore system that you can use to store cryptographic keys but then again you are only moving the problem one step further.
At the end of the day you can only make it hard to extract that PDF but you will never be able to stop people from extracting it eventually. Like with normal attackers, once someone has physical access to a device you can pretty much assume that he has access to everything.
Update: OP asked how to make it hard to extract the PDF.
I suggest encrypting the PDF with AES locally and then storing the key in the secure local storage.
Step 1: Encrypt the PDF: Have a look at this package if you want to encrypt the PDF at runtime but I would suggest encrypting it beforehand with some other tool if you can. In any case you will need this package to eventually to decrypt the PDF.
Code might look something like this (read the documentation for working code examples):
// Don't use a hardcoded key. Generate a long random string for the AES key or fetch it (with authentication) from somewhere if it is pre-generated.
String yourKey = 'YOUR ENCRYPTION KEY';
var crypt = AesCrypt(yourKey);
// Encrypts the file srcfile.txt and saves encrypted file under original name
// with '.aes' extention added (srcfile.txt.aes).
crypt.encryptFileSync('srcfile.txt');
To decrypt:
// Decrypt the data from 'mydata.bin.aes' file
Uint8List decryptedData = crypt.decryptDataFromFileSync('mydata.bin.aes');
Step 2: Make sure you have deleted the non-encrypted file.
Step 3: Store the encryption key. Have a look at this package. It will store the key in the Android Keystore
or IOS Keychain
respectively (which is the best practice for API keys as well).
Code might look something like this:
import 'package:flutter_secure_storage/flutter_secure_storage.dart';
// Create storage
final storage = new FlutterSecureStorage();
// Write value using your another key, this one can be hardcoded
await storage.write(key: "yourStorageKey123", value: yourKey );
To get the key to decrypt the PDF:
// Read value
String value = await storage.read(key: "yourStorageKey123");
To conclude, this should make it quite annoying to extract the PDF but no where near impossible. That's also how many applications store API keys btw.