I want to secure my sqlite database.
I searched a lot but ended up with the suggestions of using SQLCipher.
Is there any new advancement in this field other than SQLCipher?
Please suggest.
If you don't want to use SQLCipher, One thing you can do is encrypt your data before storing it in the database and decrypt it at runtime when populating it.
You can use a encryption key that you can store on Firebase and retrieve it from there at your app startup, this will add another layer of security to your encryption because the key will not be exposed inside the app if someone decompiles the app.
I'm securing my database on my own, procedure is following:
ORMLite used as ORM (platform independent ORM over SQLite)
All sensible data stored in BLOB's
BLOB's secured using standard encryption technique, e.g. com.madgag.spongycastle works well under Android
Related
I wrote my sqlite database then i imported to my application,
I used this ,and it works fine.
after that I recognized that my database is unencrypted, so with any root phone can access it.
so i suggested this way:
1- encrypt my database with key then
2- return it to my application then
3- use encryption key in my code to decrypt database then
4- I use proguard to encrypt my code(because my code has the encryption key).
does this way is correct?
yes, how to do it?
no, what I must to do?
I read about sqlcipher, but I think this technique to encrypt database from creation.
is Full Database Encryption for SQLite
sqlcipher
here is example
I have a sqlite database in my app which I don't like others to extract and use it without my permission.
If this is impossible, can I use another DMS (instead of sqlite) which has this possibility?
is there any way to have an encrypted sqlite database?
You can help the user defend the user's data via something like SQLCipher for Android.
I have a sqlite database in my app which I don't like others to extract and use it without my permission.
An encrypted database, whether SQLCipher or otherwise, will not block access to the data. Your passphrase for the encryption will have to be in the app. That passphrase can be found by reverse-engineering your app. While you can use tools like DexGuard to try to make reverse-engineering more difficult, if somebody is interested in the data, they can get to it.
Is there is any difference in (encrypting the data before storing in sqliteDB) , (using SQLCipher along with sqliteDB).?
Because in both the case a hacker can able to get my passphrase(He might get from reverse engineering my code) and read my db, right?
Thanks,
Encryption using some hard-coded key is generally useless. Anyone who wants to can obtain that key through reverse-engineering.
I am trying to compile SQLite (enable SQLITE_HAS_CODEC) with encryption/codec such as the one found in wxSQLite or Libtomcrypt, so that the result build will provide an encrypted SQLite database.
But since Android security model implements a secure sandbox policy in which no app can read other apps data, will the resulting SQLite (build with encryption) work with all apps transparently and avoid secure sandbox policy, or you need to configure each project separately so that it can save encrypted data to SQLite?
I mean will it encrypt data coming from all apps to be stored in SQLite database, or it will be applicable only for one project that need to be configured for.
Thanks.
I am trying to compile SQLite (enable SQLITE_HAS_CODEC) with encryption/codec such as the one found in wxSQLite or Libtomcrypt, so that the result build will provide an encrypted SQLite database.
I would recommend that you use SQLCipher for Android, which has done all of this for you.
will the resulting SQLite (build with encryption) work with all apps transparently and avoid secure sandbox policy
No.
You could create your own ROM mod that replaces standard SQLite with your encryption-enabled one. However, no apps will actually use the encryption, because they will not be asking the user for a passphrase and using it. And while you could then say that you will use a hardwired passphrase, then you are adding no security, because anyone could go grab that passphrase and then use it to decrypt the databases.
or you need to configure each project separately so that it can save encrypted data to SQLite?
Yes, and more importantly, each project will need to ask the user for a passphrase.
You can write your database to the SDcard/external storage, and thus other apps can read it, if they know the path. Or you can provide a lib that does it.
I'm developing an application which will be storing user sensitive data. My issue is using other applications that a user can view that stored data with. Then I need to provide better security for the data in general.
Is there any way to provide better security for SQLite database and tables?
Encrypt your data before you enter it in the database. As far as I know, the SQLite database is kept in a single file somewhere in the /data/ directory. What is more, your data is kept in plain text format. This means that it will always be possible for someone to extract that data by rooting the phone, obtaining the .db SQLite file and opening it with a text editor.
So, encrypt your data :)
--
Okay, maybe not a text editor, but a simple hex editor. Anyways...
Check out SQLCipher for Android. It's free (Apache 2 and BSD licences).
PS.: Some ORMs also support SQLCipher now, e.g. our greenDAO.
The author of sqlite offers a version that encrypts data. It's not free though
You could encrypt the data using a user specific salt retrieved from your server. That way, even with root access you would need the users salt to decrypt the database. Since you have control over the salt you provide an extra layer of security, however, your user will always need a network connection to access their data.
why are you keeping sensitive data on the phone? If its sensitive, why not send it back to the server where you have control over things. If the user roots their phone, they can basically do what they want. Other than that, encrypting like Shade mentioned would probably be your only option...
Good way to protect the the Database is to use the password Protected database and you can create it by using
1- android Sql3 wrapper library
2- libsqlite3_jni.so
also please read the article below are make your search on the option above, i hope this would help much.
http://www.findbestopensource.com/product/sqlite3-android