Secure/protected content distribution for Android app [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.

Closed 7 years ago.

Improve this question

Here is my scenario: I need to distribute optional content packages for an Android application in a secure/protected way, i.e. prevent download of the content from outside the application. The content consists of zipped SQLite database creation files with sizes up to 4 Megabytes. The packages will be updated 4 times a year. I have currently about 1000 active installations. This means at peak times traffic for downloading the content package updates could yield in about 4 GB per day. The installation base of the app grows by roughly 100 users per day.

Based on the scenario 开发者_运维问答I wonder how to solve the following issues:

1. What would be the best way to distribute the content? HTTPS transport? What would be a recommended way to do authentication (e.g. passwords, certificates)? Should I use password protected Zip files instead?

2. Which infrastructure should be used for content delivery that fits the following criteria:

   • support of the protection mechanism from 1) out of the box
   • easy to setup and maintain
   • scalable and download nodes in Europe and the US
   • relatively inexpensive (not more than 30$ per month). Ideally pay-as-you-go bandwidth.

I was considering CDNs like SoftLayer, Amazon CloudFront, etc. Any recommendations?

---

I don't think you need a fancy server configuration. From what I understand HTTPS is used to secure the link between the client and the server and basically ensures that you are connected to the server you think that you are. But any HTTPS capable client will be able to connect to the server and request your files. So it won't help with what you are trying to do. (If you were trying to prevent someone from impersonating your server then you would use it.)

To solve the problem you describe you'll probably want to use standard file encryption. This will keep your content safe from anyone that does not have the cryptographic key. Someone will eventually be able to dig the key out of your app, but you can update to new keys and hopefully make it more of a pain than it is worth.