This is from the zip4j source
public ZipInputStream getInputStream() throws ZipException {
if (fileHeader == null) {
throw new ZipException("file header is null, cannot get inputstream");
}
RandomAccessFile raf = null;
try {
raf = createFileHandler(InternalZipConstants.READ_MODE);
String errMsg = "local header and file header do not match";
//checkSplitFile();
if (!checkLocalHeader())
throw new ZipException(errMsg);
init(raf);
...
}
private RandomAccessFile createFileHandler(String mode) throws ZipException {
if (this.zipModel == null || !Zip4jUtil.isStringNotNullAndNotEmpty(this.zipModel.getZipFile())) {
throw new ZipException("input parameter is null in getFilePointer");
}
try {
RandomAccessFile raf = null;
if (zipModel.isSplitArchive()) {
raf = checkSplitFile();
} else {
raf = new RandomAccessFile(new File(this.zipModel.getZipFile()), mode);
}
return raf;
} catch (FileNotFoundException e) {
throw new ZipException(e);
} catch (Exception e) {
throw new ZipException(e);
}
}
I believe the raf = new RandomAccessFile(new File(this.zipModel.getZipFile()), mode);
line means it's indeed making a decrypting file, under a subdirectory of path of the encrypted zip file.
I don't know if you can unzip on the fly (probably not). If you don't want people looking at the decrypted file, consider storing the zip file in your app's protected internal storage space rather than the sd card.