App Controller supports the following encryption features for Android
devices and apps:
- Private or public data to
be encrypted through the use of a security group
- The ability to prevent
data sharing by using an application key to encrypt files
- The ability to prevent
applications from being made public by using access limits for public files
that defines what the app can do with storage, such as Read Only or Read Write
- No encryption
Before you configure encryption policies for apps that run on Android
devices, you need to understand how file storage and encryption work on Android
Storing Files on Android Devices
On Android devices, files may be read or written in the following
- Internal storage
- External storage
- Vendor-specific external
How Internal Storage Works
Internal storage is a private sandbox for a specific application.
The storage path is /data/data/appname, where
appname is the name of the application. Directory
permissions can prevent other applications from accessing the files in the
How External Storage works
External storage is a partition that is shared by all applications.
On Android devices, external storage can use internal memory. Older devices
might use an SD card for external storage.
External storage is often located at /mnt/sdcard. Within that
directory, there are subdirectories. These include:
- Android/data/appname that is a
private sandbox, similar to what exists for internal storage.
- Alarms, DCIM, Download,
Movies, Music, Notifications, Pictures, Playlists, and Podcasts that are well
known directories for specific types of content.
- Anything else that is
available to the application. The application can access files in the root
external storage directory or any subdirectory. The application can also create
How Vendor-Specific External Storage Works
Android devices might support external storage devices, such as
memory cards. When users insert the memory card into the device, the path is
defined by the device manufacturer. For example, on the Samsung Galaxy Tab 2,
the path is /mnt/extSdCard. The Android operating system does not manage this
Configuring File Application Policies
You can use application policies to control transparent file
encryption. The policies apply to public and private files and other areas on
files. A vault that contains internal storage and the sandbox area
for external storage.
files. A vault that contains standard external storage and any
vendor-specific external storage.
- Other. A
category that you can use for key management and access limit policies.
Encryption uses the concept of inclusion prefixes and exclusion
filters. Inclusion prefixes are used to indicate whether a file is in a
particular vault. Each vault has a list of inclusion prefixes. Exclusion
filters are POSIX extended regular expressions which then cause particular
files or directories to be omitted from a vault. When determining if a path is
in a vault, the path must first begin with a prefix associated with the vault.
If the prefix exists, the path must also NOT match any of the exclusion
filters. If both conditions pass, the path is considered to be part of the
Some applications use unsupported access modes like memory mapping.
Others may try to use encrypted files before the encryption key is available.
If application issues are encountered, the logcat log may be used to search for
error messages on the ctxtfe component. This may lead to possible paths/files
that should be excluded.
The following are examples of inclusion prefixes, exclusion filters,
If a vault is defined by the above inclusion prefixes and exclusion
filters, the following example paths may or may not appear in the vault:
Located in the vault.
Not in the vault because there are no inclusion prefixes that
Does not reside in the vault because of the ^app_dx/ exclusion.
The prefix is removed from the path, leaving the path
app_dx/generated23423.jar. The exclusion entry that contains the caret (^)
symbol means that the match must occur at the beginning of the string. The next
characters "app_dx/" must match exactly. The remainder of the path can be
anything. You can use this pattern to exclude everything under a specified
Does not reside in the vault because of the \.jpg$ exclusion.
The "\." indicates a match with a dot. The backslash is necessary because the
dot is a special regular expression character. The "jpg" extension is a literal
match. The "$" means match at the end of the line. This matches any path that
ends in ".jpg".
When you configure encryption in App Controller for Android devices,
users are permitted offline access only which allows secrets used to derive
encryption keys to be persisted on the device.
Note: If you select
Offline access permitted, Citrix recommends
that you set the authentication policy to
Offline challenge only in order to protect
access to the keys and the associated encrypted content.
For a complete list of the policies that you can configure for
Android devices, including the encryption policies, see Configure MDX Policies
for Android Apps in App Controller, in this section.
Configuring Private and Public File Encryption
You can configure two types of encryption that can be applied to
either the private or public files. You can select the key type to balance
between higher security and the ability to share data. You can use both key
types with apps wrapped with the MDX Toolkit and apps that are not wrapped with
the toolkit. The two keys are:
Security Group Key that encrypt public files
by using a key available to all MDX apps in the same security group. Using the
security group key allows sharing of data between applications. However, the
level of security is lower.
Application Key that encrypt public files by
using a key only available to the specific MDX app. The application key offers
the highest security. If you use the application key, it prevents data from
being accessed by other MDX apps. For example, if users in the health industry
have radiology files that cannot be compromised, when you upload the app to App
Controller, the files are encrypted and cannot be shared.
You can also configure access limits for public files to block data
from being moved to less secure locations, such as removable storage. Access
limits are independent of encryption.