I searched through a lot of questions on SO but I can't find the answer, that's why I ask the following question:

An Android app should be able to play an encrypted video file (stored on the SD card and retrieved from a webserver). The file has to be stored on the SD card so that the app can play the video file without having an active internet connection. Because the video files may not be copied, the plan is to encrypt them server side when uploading the files to a webserver.

What is the best option?

1) I have seen suggestions for running a local webserver which decrypts the file (and how to do this?)

2) or should we decrypt the file, save it as a temporary file and set this temporary file as the source for the videoplayer?

3) something completely different?

You are trying to implement a DRM scheme, and a naive one at that. Look into DRM schemes and report back if you cannot implement the impossible. All you can hope for is obfuscation, and there are plenty of ways of doing that (none of them are secure of course).

You will expose the user to a waiting time if you choose to decrypt a entire big video beforehand. As of the security, you can guess it's a poor idea to have the contents in clear in a file, even temporary. The local webserver is a better choice because it's a streaming method, so without file storage. There is no class for an http server in the SDK, you have to implement your own one, otherwise look for an existing library similar to LocalSingleHttpServer.