I read many tutorial and topic about this about SqlCipher , but I didn't understand what should I do exactly!
I have ready database in my assets folder . My database contains about 4 tables and 5000 records .I want to make it more secure.How I can do it ? Could somebody help me with this problem ? As I am novice with android , I need step by step solution . At the moment I use sqliteasset.SQLiteAssetHelper library to read database from assets folder.
Do not waste development time on encryption of client-side data - the data which should be accessible by the application in unattended manner (i.e. decrypted by application without user's input of any kind of password).
Here is an explanation of my statement:
Lets assume that you managed to protect(encrypt) your database by some encryption key and application upon startup should read all encrypted data.
It means that your application should have built-in key required for the decryption.
And any person with minimal reverse-enginering knowledge can extract both key and the database from your apk file and decrypt it.
When you design security mechanism to protect the data one of the first questions which you need to answer is:
How much time adversary will need to spend to open the data?
If your answer is something like "It will require 10,000 years to brute force my protection" then your protection is probably ok.
But right now you are trying to implement security through obscurity and it newer works.
Determined person can easily extract encryption key from your own code and decrypt your database in almost no time.
When you design client-server architecture there is only one way to protect trade secrets - place everything sensitive to the server side.
If your client-side application relies on some business sensitive information (like calling some paid APIs with your own API key) then your application has design flaw.
If your application relies on information which is not business sensitive then it does not make sense to encrypt this information.
Related
I've been searching a way to implement SQLCipher on my prepopulated database containing more than a million entries. Last three months is the time I've fully devoted to my project's database and it's now complete which led me to a problem.
My app's database is something that I know will be copied in a week or so and copying database is so easy (just open the apk with WinRAR). And in India, No one cares about copyrights so that'll be of no use.
Basically I want to protect my app's database from copying keeping in mind that app should work offline (that being said no PHP/SQL servers).
I've checked GitHub/Google for it and only thing I've found is SQLCipher by Zetetic. Very same thing on GitHub - Here.
Also, One can import following library now: net.zetetic:android-database-sqlcipher:3.5.2#aar and can use this for securing database but it's something works on databases created by app and not on prepopulated. (lib taken from this answer on SO).
-> Now, for me the million dollar question is Is there anyway by which I can either password protect or encrypt my database without putting the database on any server?
P.S. -> I want to make my app work offline and also, I'm just a student and at least for now, can't afford Zetetic's paid service.
Edit - I've gone through codes of some google apps storing databases for some help but they are just using .out files (easily openable with Word/Text editor) compressed in .gz files which is not something I should use.
implement SQLCipher on my prepopulated database
This is pointless. Anyone who wants to can grab the encrypted database, grab the encryption key out of your app, and decrypt the database.
I want to protect my app's database from copying
Don't put it on the device.
keeping in mind that app should work offline
Depending on the nature of your app, you might be able to cache bits of data for offline use, for reduced functionality while offline.
A simpler solution is to not worry about the fact that the database may be copied. To paraphrase Tim O'Reilly, your problem is not security but obscurity.
I'm working on an Android project that utilizes Couchbase-Lite (1.1.0) and the requirements are that all data (the documents themselves and any Couchbase attachments) is encrypted prior to storage.
I had originally envisioned encrypting the entire database file using something like SQLCipher, but I haven't been able to find a straightforward implementation for that (I know that the Couchbase-Lite implementation for iOS uses this approach, but the Android build is a bit behind), so instead my plan is to encrypt the documents (the JSON representation) and the attachments (the stream) before saving them into Couchbase-Lite database.
My questions:
What are the recommendations for this kind of encryption? What methodology / libraries? I assume AES-256, but should I build it myself or utilize a 3rd party library (any suggestions)?
What's the best way to maintain a passphrase within the device that is more secure than hardcoding it within the app (which is really, really bad)?
Has anyone seen something similar to this (my googling ability has left me high and dry) that could point me to a similar use case?
Thanks!
Use an existing AES library. Either use CBC mode with an HMAC to check authenticity, or a self-checking mode like GCM. Not all libraries have GCM since it is more recent.
Write the passphrase on a piece of paper and keep it in a locked drawer. That is unhackable. Type it in when needed. Clear the memory immediately after you have finished using it. Alternatively, keep it on a memory stick, and lock that in the drawer. You will still need to clear the memory. Change the passphrase regularly. Yes, this does mean decrypting the entire database with the old key and re-encrypting with the new key. Allow time in your daily/weekly/monthly/whatever schedule to do this. Just before a backup is good. Keep the old passphrase securely offline, in a safe perhaps, in case you need to rederive the key to recover an old backup.
Look at a good Key Derivation Function like HKDF (from RFC 5869) to derive the actual key from your passphrase.
This is crypto, and it is complex. It has all been done before, so you need to stick to tried and tested methods.
Team,
I have an Android application with large SQLite database this data costs me lots of money and I don't want to let anybody have it easily.
This database come to me as databse.sqlite file and I shipped into into the APK assets.
is there anyway to encrypt this database before shipping and then decrypt while reading the data ?
P.S I searched for this a lot and all of my results point me to use sqlcipher but this lib does not work with shipped SQLite database file.
The problem is that you will need to store the key (or location of the key) somewhere in your code and deodexing the application doesn't take that much effort. Unfortunately, you can't really prevent anyone from accessing the data. You can only make it harder, but it will still be pretty easy for someon who is really determined.
The best solution would be to store the database on a server and only send the data the user actually needs to the device. That way you have at least some control over what data a device requests.
I need to store couple of thousand text/number combinations in a database on iPhone and on Android. While creating a database on either device is no issue - I would like to know how "confidential" can one actually make the data in such databases?
What I would like to avoid is that anyone "cracks" the complete database with all the entries.
While I don't care if one can get to some entries by any means.
It just should be as difficult as possible to extract all the data from the database.
user387184,
For the most crucial data on iOS I'd personally recommend using Keychain APIs (which can be found in the Security framework. Keychain is an encrypted storage which can be used for storing accounts, passwords, sensitive data.
However if you wish to encrypt the whole database you should take a look at the Apple's Data Protection API which allow you to easily encrypt whole database using NSFileProtectionComplete flag.
As for the Android I am not sure if there's a publicly available API for such operations. You could take a look at Android Encryption, however it is available for Android devices with Android 3.0 and higher.
An alternative approach for Android could be using a storage encrypted using simple PIN code and prompting user to input the key on each subsequent launch of the app (however from user experience point of view that wouldn't be a good solution).
I'm currently developing an Android game which saves data into a SQLite database. This is not really "sensitive" data, but I don't want users to be able to modify it (for obvious reasons of game balance, as it would be cheating). And it's quite easy to access and modify a SQLite db when your phone is rooted (there are plenty of applications for that in the market).
So should I even worry about that, or consider users with a rooted phone can do whatever they want including cheating and that's their choice? Or could I somehow encrypt the data I don't want them to modify, or add a MD5 checksum or something similar?
Another approach would be to abandon SQLite altogether and use some kind of binary files with game data.
Please let me know if some of you already encountered similar issues, and what are the approaches you followed, as well as the "good practices" in the Android gaming development community.
Thanks.
Root access for everybody and security are mutually exclusive.
Any application or user with root permissions can read and modify each and every file on your system, as well as all of the main memory. That doesn't leave many places to store a potential encryption key for the database.
You could hide parts of the key in the executables, configuration files etc, but everything you could come up with would be nothing more than obfuscation and security by obscurity.
If a user opts to grant root access to everybody, that's their decision, and it's not your job as an app developer to prevent any harm that might be caused.
Update:
Storing API keys in Android, is obfustication enough? is a pretty similar issue - it's about protecting API keys, but it's the same situation with regards to your options.
sqlcipher for Android might help here.
https://guardianproject.info/code/sqlcipher/
I think based on your requirement the best method is using consistency of data,
for example MD5 the score and time, then put score and time and MD5 in to the table, then every time wanting to use that row of DB check the MD5 of the score and time if the one in DB and the one which calculated are same, the row is consistent otherwise it was hacked!
You may find your happiness on Preferences Files Look here