I am trying to decide the best approach to expose encrypted content stored on phone to 3rd party apps. The content is sensitive and needs to be protected so only certain apps can access this. The approaches I'm investigating are IPC and Content Provider. Below is what I believe to be some of the pro's and con's of both for my situation.
IPC - Pro's
IPC - Con's
More complicated to implement than Content Provider
Would have to write own way of securing access to content.
Content Provider - Pro's
Easy to implement
Easy to secure access by making provider definition permission: protectionLevel=signature
Content Provider - Con's
To secure access, the Content Provider's key signature must be shared with 3rd party app which isn't ideal.
Limited flexibility in results types returned. Content Provider returns only a Cursor object for the columns that were queried.
Is there any major differences on performance and battery?
Can either execute asynchronously?
Any other comments/suggestions to the list?
Easy to secure access by making provider definition permission: protectionLevel=signature
That only works if you are the only firm using the content provider.
To secure access, the Content Provider's key signature must be shared with 3rd party app which isn't ideal.
I would describe this more as "may meet the medical definition of 'insanity'". Your third parties will be able to modify your "secure" data, forge applications as having been published by you, leak your signing key to malware authors, etc.
Content Provider returns only a Cursor object for the columns that were queried.
You can use the file-based content provider API in addition to, or instead of, the Cursor-based content provider API. See methods like openInputStream() on ContentResolver.
Is there any major differences on performance and battery?
Not especially.
Can either execute asynchronously?
Both can, though personally I find it a bit easier with services.
Any other comments/suggestions to the list?
Permissions work equally well with services and content providers, but I wish to re-emphasize that you should never be sharing your signing key with third parties, except perhaps at gunpoint.