I'm building an application that allows users to upload multimedia files they create (audio, video, graphic) via my web frontend, and then other users can stream/download the files to their phone using my mobile app. I'm building the mobile app with react native. The problem is with the android platform-- when the files are downloaded, they show up in the Downloads folder, which means they can be copied, moved, and opened from other apps.
Since the file contents are copyrighted, I need to find a way to
prevent these files from being listed in the Downloads folder
and / or
prevent other apps from opening them.
Apps like Spotify and Netflix manage to do it (e.g. if you download a playlist from Spotify, you can't see them anywhere else on your phone). I believe some kind of encryption/decryption scheme is involved. But I don't know enough about it. Would appreciate any insight on how to go about this.
As Luke says, there is no 100% protection, but usual approach is to encrypt the files and to use a DRM system to manage the secure transition of the key from the server to the client Android device.
Android devices (generally) come with widevide DRM built in and this is probably the most common one used, but the system supports other DRMs also and device vendors may add different ones.
If you are prepared to accept a less secure encryption, but one which may be good enough for your needs, then MPEG DASH includes a 'clearkey' option which ExoPlayer supports. If you do go this way it is worth checking on the latest ExoPlayer status as this feature is being worked on at the moment:
https://github.com/google/ExoPlayer/issues/3178
Related
I am building a pdf making solution in which a user captures photos from his camera, and s/he can make a pdf out of those photos. Now my client wants a feature where you can share photos captured in one device to another device (like if the user is capturing photos on a mobile device and he now wants those photos on another device maybe a computer). The whole app is a progressive web app, so pretty much all functionalities run offline. I thought about building a web server, and upload photos on prompt from the mobile device, and may be provide some way for the pc to connect and download those files. But turns out it gets too slow..
But then I thought there are some web apps, which allow sharing large files after connecting to the same wifi network, how do they do that? For now that seems like the solution for my problem. Can anyone help?
I'm wondering it's possible to identify android device by web app running on mobile web browser? And this solution have to still working after change or upgrade web browser on this phone.
My second doubt is web app can working offline on phone showing PDF presentations saved in local storage (disk). When I have internet connection I can manually sync presentations (some are removed and some are downloaded).
If PWA app can work like I described above or in this case we need to use (hybrid) mobile app ?
PWAs allow to cache assets and make them available to the users even when they are offline. There are some functionalities that only Native Apps have (eg. access to a device contacts), but they are very close under many other aspects.
I wrote an article about Service Workers and caching strategies where I explain how to cache static assets as well as HTTP GET calls. It is part of a series about PWAs, so you might find it useful to get more insights about this technology.
Have a look at the website what web can do today to have a list of WEB APIs currently available:
I do not know the detail of your requirements, but maybe you do not even need to implement an hybrid app and simply create a PWA.
Here my problem, i create a couple mini game for windows 10 (PC, phone, Hololens UWP, ...), but now i would like to make a launcher to gather all my games, like steam (for example).
But, according to Microsoft, it's impossible to launch a .exe or even .msi from UWP app -> ("This API also imposes several restrictions on what types of files it can launch. Many file types that contain executable code, for example .exe, .msi, and .js files, are blocked from launching. This restriction protects users from potentially malicious files that could modify the system.
")
And now i search a solution, maybe with the FullTrustProcessLauncher Class but i dont know how its works :
https://learn.microsoft.com/en-us/uwp/api/Windows.ApplicationModel.FullTrustProcessLauncher#Windows_ApplicationModel_FullTrustProcessLauncher_LaunchFullTrustProcessForCurrentAppAsync_System_String_
if you have an idea, a solution or even an exemple, I will be thankfull
Best regards
PS: sorry for the bad english, i'm french ^^
You can accomplish this by supporting a custom protocol in your games. Then your launcher app can launch them via that protocol by using the LaunchUriAsync API:
https://learn.microsoft.com/en-us/uwp/api/windows.system.launcher#Windows_System_Launcher_LaunchUriAsync_Windows_Foundation_Uri_
Sorry, that is not going to work.
"FullTrustProcessLauncher Class
Activate the full-trust Win32 component of an application from a Universal Windows app component in the same application package."
In other words this is to run a Win32 component of the current application.
Since Microsoft wants UWP to be more secure, your best option is probably to bundle your games together in one bigger application. Have the start page / form be a menu of the games, then switch to another form for each game.
Name your classes, forms, resources carefully so you know what game they are for -- ChessMain, ChessForm, chess_logo.jpg; CheckersMain, CheckersForm, CheckersPlayerTurn.
I have a hack way that may help to launch the exe in uwp.
If you want to use the win32 dll that in other directory,please get the LoadLibrary that can use it.
You can use
MEMORY_BASIC_INFORMATION info = {};
if (VirtualQuery(VirtualQuery, &info, sizeof(info)))
{
auto kernelAddr = (HMODULE)info.AllocationBase;
auto loadlibraryPtr = GetProcAddress(kernelAddr, "LoadLibraryExW");
// load your library here ...
}
to get the loadlibrary and use to loadlibrary the dll.
See https://hjc.im/3-ways-to-bypass-wack/
Ms use the PE and P/Invoke to judge whether uwp use the not allowed dll.
So you can use the loadlibrary to load it.
You can launch the exe by win32.
But it may work today but it might break tomorrow.
I've just started learning ionic framework. It uses web browser capabilities for building apps.
These capabilities namely HTML, javascript and CSS are client side stuff. Which on browsers can be seen with view source.
My questions is how will be the visibility of the source? Will the end user be able to see the source of the app?
If yes, is it normal for any app? Shall one be worried about the security of the source?
The visibility of the source in chrome://inspect#device , is pretty much the whole application. And no, end user cannot see the source of your application once you set and push the project to production mode.
Well, since you are developing a hybrid application, there are of course, pros and cons for each. Security might not be as strong as native apps, but development time is greatly reduced to push the app to different platforms.
If you would to do something would requires high security and non-visibility of your source , then native is the way to go. As for hybrid apps,if you need somewhere to store your data securely, you will need plugins to communicate with native platform's secure storage which might pose a security risk. But then again, even native applications can be de-compiled. The way developers tries to make it harder is via obfuscation methods.
Once u set your application to production mode, you will not be able to inspect your application anymore.
To show your web-app on chrome://inspect/#devices :
1) Make sure your web-app is running and your phone is plugged into your computer via usb with USB debugging on and your PC is trusted by the phone.
2) Under device manager, you should not have missing phone drivers. (it would look something like this)
3) ADB should not be running co-currently. And you should be able to see something like this on ur inspect page:
4) Click on inspect button and you're done! (:
You have a signed apk, when you install it on a device and inspect the device on google chrome the inspect option will not be available. Theres an easy way to do that decompile the signed apk using apktools you will get the AndroidManifest.xml file. simply add android:debuggable="true" to the tag and recompile it resign it and you will be able to inspect it. If you check the main.js file in the inspect section the source code is visible.
Hence you can use Jscrambler to prevent this (Its a paid service i too am new to it)
I've developed interactive content for a client ( VR Objects ) using javascript and Flash (if needed) that they now want to distribute to prospective customers via a flash drive. That makes it local content causing security issues especially with IE. Actually there doesn't seem to be much problem with any browser except IE. True, IE displays the "allow blocked content" button but they fear that is too complicated or scary. And on IE11 in Win 8.1 it still may not work.
The development environment I use has a way around that for testing using an "embedded web server" although all that seems to do is produce a localhost address such as http://localhost:60331/wyj-01xn/output/surfacide_flash.html. Paste that in the URL bar of any browser on the same machine and you are good. Try it on another machine and no go. So I gather the port address and whatever the /wyj-01xn/ is about are machine specific. Another possible problem -- it may not work easily with IE11 on Win8.1, but I don't personally have that setup to test.
QUESTION: Is there a way I can produce this same functionality for my client, distributed along with the content on the flash drive, without the need to install some special software (local web server) on each client computer??? The current workaround is to tell customers they should us any browser except IE. Client isn't happy.
You could distribute your webpages along with a portable Nginx server, or wrapped inside a Node-webkit or AppJS package.