Storing and encrypting data with the Android Data Capture SDK
Storage
Since version 1.39.0, the Scanbot SDK uses the internal storage by default. All files generated by the SDK (images, PDF files, thumbnails, temporary files, etc.) are stored in the application data directory.
Using the internal storage provides the following benefits:
- All stored files can only be accessed by your app.
- It does not require storage permission prompts for your users.
You can find more information about the file storage system in the Android documentation.
Changing the default storage directory
It is strongly recommended to use the internal storage. However, you can override the default storage directory of the Scanbot SDK on initialization.
The ScanbotSDKInitializer class provides the method sdkFilesDirectory(Application application, File sdkFilesDirectory), which allows you to change the default storage directory.
Example:
loading...
When overriding the default storage location, make sure:
- you have implemented a suitable storage permissions request handling,
- the storage directory is available (e.g., not on an unmounted SD card).
Encryption
Please note Encryption is not enabled by default.
The Scanbot SDK provides the ability to encrypt all stored images and PDF files in the SDK app folder.
To accomplish this, follow these steps:
- Add the Scanbot SDK Crypto Persistence library to your app dependencies.
implementation("io.scanbot:bundle-sdk-crypto-persistence:VERSION")
- Enable files encryption in
ScanbotSDKInitializer.
loading...
The default Encryptor implementation uses the AndroidX Crypto solution under the hood. You can learn more about it in the Android documentation).
The file encryptor uses the AES256_GCM_HKDF_4KB file encryption scheme. More about this in the Android documentation).
The security-crypto AndroidX library is still in development and has an Alpha version.
Additionally, the Scanbot SDK provides a custom AES-based encryption solution io.scanbot.sdk.persistence.fileio.AESEncryptedFileIOProcessor.
To enable it, you have to set it in the SDK initializer in the useFileEncryption() method:
loading...
AESEncryptedImageFileIOProcessor publicly exposes initial salt, iterations count and IV (initialization vector) values and the generated key:
loading...
AESEncryptedFileIOProcessor does not save the password in secure storage between app sessions, so you have to implement this yourself and reuse it for SDK initialization.
Alternatively, you can use AesGcmEncryptedFileIoProcessor with a custom AESGCMEncrypterMode. This adds support for encryption/decryption on a per-context basis. Contexts, such as file URLs, are passed to encryptor APIs to enable context-based key derivation:
.useFileEncryption(enableFileEncryption = true, fileIOProcessor = AesGcmEncryptedFileIoProcessor(object :
AesGcmKeyProtocol {
override fun getAesKeyForContext(
file: String,
keyMode: AesGcmEncryptedFileIoProcessor.AESGCMEncrypterMode,
): ByteArray {
return key // return the key for the file
}
}))
If the built-in encryption methods do not meet your requirements, you can create your own encryptor by implementing a class conforming to the io.scanbot.sdk.persistence.fileio.FileIOProcessor interface.
The Scanbot SDK allows setting up a completely custom encryption implementation.
To do this, you have to implement the io.scanbot.sdk.persistence.fileio.FileIOProcessor interface and pass it to the useFileEncryption(true, your_file_io_processor) method.
An instance of FileIOProcessor will be available during the app session and the user can use it to read and copy decrypted images, PDF files and Bitmap.
For example:
loading...
Want to scan longer than one minute?
Generate a free trial license to test the Scanbot SDK thoroughly.
Get your free Trial License