I haven't been able to find a clear answer to this question, so here it is;
I want to use Realm for Android to store files in an encrypted way, then be able to open/view those files without needing to actually save them in the phone. Those would be sensitive data file so It would be perfect if it stay in the local database of my app.
Is Realm well suited for my case or if not, what else would be for Android?
Realm suits or not. You may need to reconsider.
If you just want to encrypt a database, it is easy. Just give it an encryption key when you init a Realm instance.
However, there are some side effects.
Save big files to Realm will slow it down.
The danger of data corruption. If you database file is corrupted, all data is lost. So you have to backup. That means saving files into Realm will cause your app takes at least twice the size of saving the files in filesystem directly.
The encryption key. You must design an encryption key that basing on each device other than just using one same key in your app. Or someone just needs to copy the database file from another's phone to his own and your app will decrypt the database for him.
You can check out this previous answer for a more deep explanation about saving images on Realm (it's on iOS, but the basics are the same: Don't do it if there's a lot of images.)
In your specific use case, did you consider saving encrypted images on the filesystem and the references for the image in Realm? You just need the file path and the encryption key in the database to work.
Related
I have folder named docFolder located inside download directory of device interval memory. The folder contains lot of files in different format (html,png,jpg etc...).
How can I easily programmatically encrypt docFolder so that users can not open the folder. I also need to decrypt docFolder programmatically so that I can use the files in my code.
Please help.
Having done the research for your use case before, I can help you with my results and findings.
You can use symmetric algorithms for encryption and decryption. These symmetric encryption algorithms are relatively faster and consume fewer resources for computation.
You can read about symmetric cryptosystem here.
You will find lots of Java codes for each algorithm.
You need to ensure that the key used for symmetric encryption is not stored locally as users can Decompile the APK and access the code. For this, you can retrieve the keys for each user from public cloud database services like Firebase, etc.
So instead of encrypting the folder, you can encrypt your important docs and store them in the app's dedicated path.
In general, Other regular apps cannot access your app's dedicated path. Android won't allow that. But the users can browse through them using any file browser.
Read about Data and File Storage in Android here and choose the best suitable method for your use case.
Hope this is helpful.
you can not encrypt Folders but you can encrypt files
take look at
http://www.codejava.net/coding/file-encryption-and-decryption-simple-example
keep in mind encrypting an decrypting is comes with costs of battery usage and time (depends on your file size you might even have lag on app).
you should only encrypt very important,sensitive data
if you don't want users access your file directly, you can store them in sqlite
I've been searching a way to implement SQLCipher on my prepopulated database containing more than a million entries. Last three months is the time I've fully devoted to my project's database and it's now complete which led me to a problem.
My app's database is something that I know will be copied in a week or so and copying database is so easy (just open the apk with WinRAR). And in India, No one cares about copyrights so that'll be of no use.
Basically I want to protect my app's database from copying keeping in mind that app should work offline (that being said no PHP/SQL servers).
I've checked GitHub/Google for it and only thing I've found is SQLCipher by Zetetic. Very same thing on GitHub - Here.
Also, One can import following library now: net.zetetic:android-database-sqlcipher:3.5.2#aar and can use this for securing database but it's something works on databases created by app and not on prepopulated. (lib taken from this answer on SO).
-> Now, for me the million dollar question is Is there anyway by which I can either password protect or encrypt my database without putting the database on any server?
P.S. -> I want to make my app work offline and also, I'm just a student and at least for now, can't afford Zetetic's paid service.
Edit - I've gone through codes of some google apps storing databases for some help but they are just using .out files (easily openable with Word/Text editor) compressed in .gz files which is not something I should use.
implement SQLCipher on my prepopulated database
This is pointless. Anyone who wants to can grab the encrypted database, grab the encryption key out of your app, and decrypt the database.
I want to protect my app's database from copying
Don't put it on the device.
keeping in mind that app should work offline
Depending on the nature of your app, you might be able to cache bits of data for offline use, for reduced functionality while offline.
A simpler solution is to not worry about the fact that the database may be copied. To paraphrase Tim O'Reilly, your problem is not security but obscurity.
I am creating an app having a large database file of 450 MB. I am storing it in SD card. I want to secure it as it has some sensitive data. If anyone can tell me the best way to do it, it will solve my problem.
I also tried a sample but it was working for small DB file. If I am using 450 MB Db, it is not working and it takes a very long time.
And also please let me know whether it is possible or not to secure such a large data.
It kind of is, but not really. You can encrypt it, and get the decryption key from a server. There is no other way to secure it, as the user can always pop the sd card into an sd card reader. And if the decryption key is local they can decompile your app.
Here's the problem- the encrypted file can't be used by SQLite. So you'd have to decrypt it to disk, and it can be grabbed at that point. So no, its not really possible to secure a database file at all. You're better off keeping the information on a server and querying it via webservice if you want to keep the data secret.
I'm working on an application that it took me about 2 whole month to collect data.
how can I protect my database and files? because of a big size of database, I zipped it (with password) and put it in asset folder. I can unzip it.
2 questions:
where I can extract it that no one can access it even though they have a rooted device ?
after extracting my database from zipfile ,I want to copy it to my application database . is there anyway users can access the database ?
Depends on how smart an attacker you're expecting. If you're expecting the average user, don't worry about it- just put it in your data directory, they'd have to root the phone to see it. From a power user you can encrypt the files. From a determined hacker that won't work- he'll decompile the apk and find the key. You can pass the key from a website, but a good hacker will run it under a debugger and find the key in memory. The best way to secure most of the data would be not to have it in the app but only download what you need via webservice as you need it, but that will cost money and time.
As I know there is no way to hide your files from user sight. they can access your resources sometimes so easy. but you should encrypt your data.
You can use SQLCipher library to protect your data. see http://sqlcipher.net/
Although it has some overhead but you can distribute your data in a safe way.
Hope it can help you
In my android projects I need database to store data for offline usage.
For that I am looking at two options 1)Creating the empty db and copying it to asset 2)Creating the db via code
which option will be good as my app is handling secure data.
weather it will cause any security vulnerability if we store the db structure in asset folder as it will be easily available if we extract .apk file.
Thanks for your support
If your database has something you don't want your legitimate user to see, look for a new project because you cannot attain that. Using a static database in the APK is as you know, easily viewable, but creating it from your app also leaves something that is viewable. You could encrypt the contents, but then you have the problem of how you store the key in a way the user cannot access -- so you really haven't solved anything.
Back to your original question though -- is the data static, or is your application ever going to make changes to it? If the data is static, providing a pre-populated database is fine. If the application is intended to be able to make changes though, you are much better served by letting the application create and manage updates on the database, its schema, and its contents. Following Google's examples will get you there.