I'm creating a dictionary app. I want to encrypt sqlite database (which has meaning for words) in my PC before creating the app. Then generate the apk file with that encrypted database, so that when somebody unzip the apk file, they only see encrypted database. Each and every time the user searches for a word, then the encrypted "meaning" of the word should be decrypted by the android app. I've gone through multiple threads, they talked about encrypting and decrypting the database in the phone. Please suggest me some safe methods to safeguard my hardwork.
There is no problem. Just encrypt before compiling the app, add the key to the app and decrypt in the app when needed.
Of course a competent attacker will be able to get the key.
Protecting assets from the device owner is very hard and generally requires DRM which is difficult and still not completely secure.
Actually, there should no need to encrypt any data on the mobile side because this sounds incorrect at the first place when you publish things should be secured around the world, you don't know how much the user device itself secure, and the user could be professional enough to crack your app and its security.
If you want something secured, secure it in your backend, and talk with your backend with api secured with https with headers have Auth token auto-generated for each user.
I want to encrypt the database before creating apk and decrypt it when
a user searches for a word.
If you mean decrypt inside your mobile and search inside your sqllite itself, why you encrypt it, if the code inside mobile will encrypt and decrypt, attacker even junior level one, will be able to hack your data!!
Related
My mobile app has users, so after someone log in, I send back the user id to be used for future requests (GET and POST HTTP web service calls to manage user data), and I store it in an sqlite table called user_settings after encrypting it using jbcrypt along with the salt. is this a safe way to do it?
You could use sqlcipher to encrypt the database with a randomly-generated key, created on first startup, that you store in the Android Keystore System.
As #njzk2 said, there is no way to absolutely protect this data. Encrypting the database with a random, unique key, and stashing that key in the keystore, will make things much more difficult for an attacker, even with physical access to the device. In this scenario, the goal is not to keep the attacker from ever accessing the password, but slowing the attacker down enough that the user can change their password before the attacker can use it.
I need to develop an Android application where encryption/decryption is done on client side. The data that is transported and stored in the server MUST be encrypted. The problem is that I cannot store the key of encryption/decryption anywhere.
The keys cannot be stored on the client machine. Because the admins (or someone that can access the server) should not have access to the un-encrypted data.
How to generate keys then? Can you suggest some method?
I'll assume that when you say the encryption keys should not be stored in the device, you really mean it :-) Because if that restriction were not there, you could use the KeyStore. However, this will mean the keys are stored on the device, which seems not to be what you want.
So, assuming the encryption keys are external to the device, it's somewhat straightforward as there is not much room for choice: your client app asks the user to input the encryption key in some fashion (up to you), which it uses to encrypt the data, and then forgets the encryption key immediately.
Then it sends the encrypted data to the server, where it is stored. The server does not know the encryption keys so to the server it's just an opaque blob of data.
When the user wants to retrieve the data, they have to provide the decryption key on the spot, since it's not stored on the device.
I'm developing a video game for Android. It will be an online game, which would save user's statistics, achievement, objects, etc. in the local SQLite database.
Thinking about the security... I read that a user can edit all his/her databases saved in a rooted Android device. I would not want the user to be able to edit the database of the game.
So, what can I do? Is there any option to make the DB really secure? Password? Encryption?
Thanks
A determined attacker can get at any data on the device. If you're encrypting data on the device before putting it in the database, then you have to have keys on the device and a determined attacker can get at any keys that are stored in the devices memory or persisted.
The only way encryption would help is if neither the encryption nor the decryption happens on the untrusted device -- merely the storage. You can encrypt the sensitive data on a machine you trust, storing the encrypted bits in the database for later decrypting by a machine you trust.
You can't use a password to secure this either. Passwords stored in the device memory or persisted on the device can be read as easily as private encryption keys.
If you don't care whether the user reads data from the DB, but don't want them to be able to write data, you could have critical data signed by a trusted machine before being stored. Then if the device connects to a trusted machine, it can check the signature to verify that that critical data has not been tampered with.
EDIT:
You can't trust any computation performed on an untrusted device unless you're willing to go to fairly extraordinary lengths -- the only thing you can do is verify data routed through an untrusted system via signatures, and prevent eavesdropping by an untrusted system on data passing through it via encryption.
If there's nothing online, I'm not sure what you can do. You can make it more difficult, but I'd say its unlikely to be absolutely secure. I think what I'd do is take a snapshop of the db at a checkpoint, and send that off to the server, and (basically) check that the data hasn't been changed by a user. If the hashes don't look right, you can cripple the account (or whatever).
I wouldn't get too crazy, though, unless you have a serious game.
SQLite data encryption is possible, for more detail see this.
This may also help.
I haven't been able to find a way to open a password-protected SQLite database on Android. Since the device can easily be rooted, I am thinking of password protecting the database file. However, I am not having much luck finding anything built into the Android platform.
I don't think that Android framework supports password protection on databases. Your best bet is to encrypt your data. See SO question: Android Sqlite Password Encryption
You can encrypt SQLiteDatabases. Android does not support full-database encryption so you'd have to implement that yourself if you want to.
If you want to go down the encryption route, you're much better off just encrypting the sensitive information yourself and storing it in a database field, as per Morrison's answer.
All that said -- where are you putting the password for the encryption function? You'll probably need it somewhere in your application! In which case someone can just disassemble your code and then find the password, and decrypt the info (although it will be a bit more work).
Unless you're hashing info (one-way) then without hardware encryption on a device (and even that has flaws) you cannot store anything on the device perfectly securely -- you're always going to need to decrypt the info some time and for that the password has to be on the device somewhere.
If you want really robust security then store sensitive information on a server (preferably in a really secure location), not the device, and only communicate between the device and server over encrypted channels (HTTPS). You'll also need to authenticate the device in a secure manner. But to do that you need to store some sensitive information ON the device in order to authenticate the device with the server, unless you force the user to enter a password every time (recommended if security is a must).
If the information is stored on a server you can't necessarily prevent someone who shouldn't gaining access (by finding the password you have stored or phishing the user if it's stored in their head), but you can revoke access to the information.
In my Android application I want to encrypt a db file. How can I do that?
The DB, normally, is stored in your application directory which is only accessible to the user-id assigned to your application.
I don't think there's any way to explicitly encrypt the DB using the android framework but an easier approach would be to encrypt the information you store in the DB. That works well if your user needs to enter some password to access the application and you can use this password to encrypt your information. But if your application doesn't require any password login then you will have to keep the encryption key in code and the security of your data will be compromised if some decompiles your application and finds the key.
Sun has an article that explains how to use AES encryption here. As far as I can tell all of the necessary libraries are available from Android.