none
How to upload a blob from Android/iOS client and that the blob remains private?

    Question

  • I want to upload pictures from mobile clients (Android, iOS...) but I want that these files remain private in a private containter.

    If I upload pictures using Blob Storage library for Android, I can do it perfectly but everyone who get the container name, connection string or AccountKey, can get the pictures that are in the "private" container.

    So any advice? Thanks in advance!

    PS: I don't wanna convert pictures to Base64 because 100Kb .JPG picture in phone is arround 1Mb when it arrives in server. 

    Friday, May 27, 2016 11:44 AM

All replies

  • Hello Navi,

    We are checking on the query and would get back to you soon on this. I apologize for the inconvenience and appreciate your time and patience in this matter.

    Regards,

    Sapna Girish


    Sapna G

    Friday, May 27, 2016 8:33 PM
  • Hi -

    When you create a new container, it's private by default, meaning that other users can see its contents only if you grant them access. However, they will be able to see it if they have access to your connection string or account key.

    The connection string and account key in fact provide access to any data in your storage account. So you never want to make these publicly available, and if you do so inadvertently, you should regenerate your account keys in the Azure Portal so that your account can't be compromised. See https://azure.microsoft.com/en-us/documentation/articles/storage-create-storage-account/#manage-your-storage-account for details about how to do this.

    For your mobile applications, you will want to use a shared access signature (SAS) URL to grant access to objects in your storage account. The SAS is another way of authenticating that does not require the storage account key; instead it encapsulates encrypted information on the URL that the service uses to authenticate the request. With a SAS, you can specify what type of object the user can access (e.g., container or blob); what permissions they have (e.g., read, write, delete, list); and how long they have access to the object.

    In your case, from what you write above, it sounds like you will want to grant write-only permissions to your application's users so that they can upload an image to the container. Then only you, as the account owner, will be able to view the contents of the container.

    See this article for more information about using a SAS. This article shows how to do it in .NET, but the code should be similar using the Android or iOS libraries.

    https://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/

    Friday, May 27, 2016 9:30 PM