0

I have recently started a project where I need to make extensive use of videos and books. And all of them are needed to be stored locally.

I want to be able to search all these books and get access to them as quickly as possible.

I don't want users of my application to have access to the content (books and videos) outside my app that would allow them to copy the files or view them in another software.

In short, I don't want the files to be stored openly in the file system, I want to obscure them or somehow restrict access to the content so it cannot be accessed outside my application.

This is like an encyclopedia project, where I have copyrighted materials.

I am using Java as the main language for this project.

Tulains Córdova
  • 39,201
  • 12
  • 97
  • 154
labir pinima
  • 21
  • 4
  • Are you asking for hardware recommendation? – Tulains Córdova Aug 29 '16 at 06:24
  • No. I am talking about a software project. I don't want to store these files as normal files in local disk. That's what my question is about. Do I need to store them in a database, maybe? I don't know, however, you people while working with projects, let us say, an encyclopedia software, how do you store all these files?? – labir pinima Aug 29 '16 at 06:46
  • Is it a good idea to store large files in a database? are there another solutions? – labir pinima Aug 29 '16 at 06:54
  • Edit your question and make clear what you are asking before it gets closed. Give the encyclopedia example. State that you don't want the files to be stored openly in the file system, that you want to obscure them of somehow restrict acces to the content so it cannot be accessed ouside the application. – Tulains Córdova Aug 29 '16 at 07:07
  • Thanks. That's what I actually I need. You have well understood me. – labir pinima Aug 29 '16 at 07:09
  • @TulainsCórdova I know that's against rules, here, in stack exchange, to thank someone, however, I am obliged to thank you. SO thanks! ;) – labir pinima Aug 29 '16 at 07:23

2 Answers2

2

You probably want to encrypt the content (or at least obfuscate it). You then have to trust the encryption and the procedures related to it.

But advanced users could bypass your Java code and access to the encrypted form.

BTW, with enough efforts (including forcing the encryption), your mechanism could be bypassed. Remember that security through obscurity is a fallacy.

Storing data outside of files (e.g. in some database) does not hide it at all. An advanced user (like a motivated enough me) would find your database and could query it outside of your application. It could change a Java class loader to modify or at least trace your application's behavior, or it could even patch the JVM running your thing (or use some different, e.g. academic JVM, to run your thing). It could e.g. trace the system calls done by your app (on Linux, I'm using strace(1) on most foreign binary software I might have to install). Read perhaps Operating Systems: Three Easy Pieces.

Also, a given content (video or book) could be legally available on the consumer's computer outside of your app. Do you require that content to be duplicated (wasting resources on the consumer's computer, assumed to legally belonging to him)?

At last, as a consumer, I would never buy or use your software, because I don't trust DRM. Information wants to be free. See https://www.defectivebydesign.org/ (which also have technical arguments related to your issue that you should know, even if you disagree with the opinions there).

Read about trusted computing base.

Explain to your client that someone (outside of US law juridiction, perhaps some Chinese, Russian, French developer or hacker, more generally outside of legal reach from your client ....) will eventually reverse engineer any software trick you'll implement, and publish his understanding of your tricks on some website or forum. It is just a matter of time. Read about libdvdcss as a past example etc...

I want to obscure them or somehow restrict access to the content so it cannot be accessed outside my application.

You won't technically be able to fully restrict (that is, make impossible any) access to content on another computer (on which the OS, the JVM, the hardware etc... could be "hacked" or "compromised" or "improved" or "patched"); you just could make that difficult (using encryption or obfuscation techniques). So you have a cost-effectiveness tradeoff: how much work & resource can your client afford to make it very difficult? Or is "barely difficult" enough?

Basile Starynkevitch
  • 32,434
  • 6
  • 84
  • 125
  • That's interested. I didn't know about this. So where does the problem lay out? in the JVM that interprets the java language, or the mechanisms used to encrypt the content? On the other hand, the decision isn't mine when it comes to contents. The party that I work with request that the contents should be hidden. And that's, in fact, put me in a difficult situation. – labir pinima Aug 29 '16 at 07:35
  • That is your social problem, and it has no technical solution. Your client is incredibly naive. – Basile Starynkevitch Aug 29 '16 at 07:37
  • Ok. Forget my social problem. I want to know more information about what you mentioned early. That's really very important. Where can I get that? Might you share your experience for future reference and to help others? – labir pinima Aug 29 '16 at 07:41
  • Actually, a good source of information might be any free software organization. But be prepared to be flamed. Actually, you are fighting a lost battle. My feeling is that your job might be to educate your client. – Basile Starynkevitch Aug 29 '16 at 07:47
  • Comme vous êtes de la France, je peux parler français ici. Je vous remercie énormément. Pourtant, cela est contre les réglements :) A bientot – labir pinima Aug 29 '16 at 07:52
  • 1
    @labirpinima One thing you can do besides encrypting is obscuring the storage structure, like naming the files "da39a3ee5e6b4b0d3255bfef95601890afd80709" instead of "machine working.mpeg" and having an iPod like folder structure, i.e., random folder names like `F4C2`, `M_zK` etc. But as @basile-starynkevitch says, that will not prevent hackers or very motivated persons to discover and cooy the files. – Tulains Córdova Aug 29 '16 at 07:59
  • What surprises me a lot is that there are still some industries and managers naive enough to pay developers losing time on such things.... (and also, naive enough consumers to accept such crap). – Basile Starynkevitch Aug 29 '16 at 08:05
  • 2
    what surprises me is that there are still people assuming that everything should be free... – jwenting Aug 29 '16 at 08:22
  • 1
    Not everything. However, read Piketty & Tirole (economists) about these issues. But a content I have bought or obtained legally is mine, and I don't expect apps to hide it or duplicate it on my computer. Not every property (particularly digital content) needs to be protected by DRM. Sometimes, law is enough. – Basile Starynkevitch Aug 29 '16 at 08:25
  • @Basile: you are confusing things, and turning a technical issue into a political one. This is no place to discuss about freedom, licensing vs buying, etc. But pretending that one can defeat _any_ security measure the OP can take doesn't make them useless. For instance, a minimal amount of security (e.g. encryption, obfuscation) can help you make a case in court: an "offender" (whatever that means) cannot pretend he just stumbled upon the PDF by accident as he had to apply complex techniques (e.g. reverse engineering) to recover it from outside the app. –  Aug 29 '16 at 12:35
  • Then, there should be a cost-effectiveness trade-off. And then, the original question should have been phrased very differently (e.g. "cannot be accessed" -> "be difficult to access with reasonable effort"). But https://www.defectivebydesign.org/ has some related points (including *technical* ones). – Basile Starynkevitch Aug 29 '16 at 12:38
  • In fact, the aim of my question is to ask for some techniques to make things harsh and difficult for someone who wants to crack the contents. And not fully restrict access to the content. That's, actually impossible, as there is always someone out there that is smarter that you think. However, I, unfortunately, mis-formulated the question. That leads me to explore other concepts I didn't know about. So being it what it is, this conversation about open/close source gave me insights on new topics. – labir pinima Aug 29 '16 at 18:22
0

I would simply store my content in a cloud environment and let them access it at runtime. At runtime it will be retrieved from the cloud encrypted while streamed to the user's computer and decrypted when the streaming is done. the encryption key should be 128 bit and rotate - it may even come from the service as well.

user2161258
  • 1