zip4j: Does getting the Stream from encrypted file creates a temporary unencrypted staging area?

Question

I have the following code to read an encrypted zip file using zip4j on Android. I do not supply a temporary file. Does zip4j creates a temporary file for decryption ? Or does the zip standard allow for decryption on-the-fly so no encrypted data is temporarily written to storage ?

ZipFile table = null;
    try {
        table = new ZipFile("/sdcard/file.zip");
        if( table.isEncrypted() ){
            table.setPassword("password");
        }
    } catch (Exception e) {
        // if can't be opened then return null
        e.printStackTrace();
        return;
    }
    InputStream in = null;
    try {

        FileHeader entry = table.getFileHeader("file.txt");

        in = table.getInputStream(entry);
             ...

Answer 1

As the author of Zip4j, I can guarantee you that Zip4j will not create any temporary files for decryption.

Zip4j will decrypt data in memory and no encrypted data will ever be written to any temporary files. Zip format specs allow for on-the-fly or in-memory decryption for both AES and Standard Zip Encryption.

Answer 2

This is from the zip4j source

public ZipInputStream getInputStream() throws ZipException {
    if (fileHeader == null) {
        throw new ZipException("file header is null, cannot get inputstream");
    }

    RandomAccessFile raf = null;
    try {
        raf = createFileHandler(InternalZipConstants.READ_MODE);
        String errMsg = "local header and file header do not match";
        //checkSplitFile();

        if (!checkLocalHeader())
            throw new ZipException(errMsg);

        init(raf);
        ...
}
private RandomAccessFile createFileHandler(String mode) throws ZipException {
    if (this.zipModel == null || !Zip4jUtil.isStringNotNullAndNotEmpty(this.zipModel.getZipFile())) {
        throw new ZipException("input parameter is null in getFilePointer");
    }

    try {
        RandomAccessFile raf = null;
        if (zipModel.isSplitArchive()) {
            raf = checkSplitFile();
        } else {
            raf = new RandomAccessFile(new File(this.zipModel.getZipFile()), mode);
        }
        return raf;
    } catch (FileNotFoundException e) {
        throw new ZipException(e);
    } catch (Exception e) {
        throw new ZipException(e);
    }
}

I believe the raf = new RandomAccessFile(new File(this.zipModel.getZipFile()), mode); line means it's indeed making a decrypting file, under a subdirectory of path of the encrypted zip file.

I don't know if you can unzip on the fly (probably not). If you don't want people looking at the decrypted file, consider storing the zip file in your app's protected internal storage space rather than the sd card.