I’m planning on developing an app and I don’t want it to be ‘online only’ so I want to be able to store data internally on the users device, app data. Is this ‘secure’? Or can people fiddle with the app data? Is there ANY secure offline way to store app data?
I tried reading http://developer.android.com/guide/topics/data/data-storage.html#filesInternal which suggested it is secure, but somewhere else someone said rooted phones could disregard this. So is it secure or not? -If so is there any way to ‘block the app’ if the phone is rooted?
On a rooted phone the user can read the data.
With JellyBean Google tried to encrypt application data to prevent that from happening, but this feature is disabled for now because it broke too many apps.
Some ways of rooting the phone you can detect, for instance using roottools.
But there is no reliable way of detecting all the ways in which a phone could be rooted.
And even if you could make sure the phone is not rooted, what would prevent the user from rooting the phone after you downloaded the data?
Be aware that even if you don’t download the data to a file: Using a rooted phone the attacker could still transmit the .dex file of your application to his PC. He can then decompile it (for example by using dex2jar and jd-gui) to gain information of how to read the data from your server.
Thus any info your app accesses from the server an attacker can potentially access as well.