• BlackBerry Spark AppSecure
  • Security library for Android applications
  • 0.7.915.0
Package com.blackberry.security.file

Secure file system. More...

Description

For applications, the BlackBerry secure file system behaves like the default file system, with the following differences.

  • All data within the secure file system is stored on the device in an encrypted form.
  • Directory and file names are also encrypted.
  • There is no current working directory in the secure file system. Paths should always be specified as absolute paths, beginning with a / character.
  • The root of the secure file system is a location within the application's data directory. Input paths for the secure file system programming interface shouldn't be built from a system-generated prefix, such as the ApplicationInfo.dataDir() value. System prefixes are based on the device root, which is outside the application's data directory.
  • The secure file system cannot be accessed until the BlackBerry Spark AppSecure runtime is initialized.

Every operating system has a maximum supported length for the names of files and directories. For example, iOS 11 supports a maximum length of 255 bytes, given by the NAME_MAX constant. The encrypted form of the name of a directory or file will typically be longer than the plaintext, and it is the encrypted form that must be within the limits supported by the operating system. This means that names in the secure file system have a shorter effective maximum supported length. It isn't possible to give a simple maximum but the following should be expected.

  • Names that are 16 bytes or longer will be increased by a factor of 4:3 approximately.
  • Shorter names will be increased to a length of 20 bytes approximately.

Encryption and decryption is transparent to the application code:

  • The application passes its data to a file writing interface. The BlackBerry Spark AppSecure runtime encrypts the data and stores it on the device.
  • When a file-reading interface is utilized, the runtime decrypts and returns the data.
  • Path access interfaces accept plaintext parameters for directory and file names. The runtime encrypts the parameter values in order to create paths in the secure store.
  • Directory and file names provided as return values are plaintext. The runtime decrypts paths in the secure store in order to generate the return values.

The encryption method used by the BlackBerry Spark AppSecure runtime currently does not require the user or application provides a security password. Instead an encryption key is derived from random key material generated in the devices trusted execution environment (TEE).

Classes

class  File
 Extension of java.io.File for working with the secure file system. More...
 
class  FileInputStream
 Extension of java.io.InputStream for reading data from the secure file system. More...
 
class  FileOutputStream
 Extension of java.io.OutputStream for writing data to the secure file system. More...
 
class  RandomAccessFile
 Secure store replacement for the java.io.RandomAccessFile class. More...