I need to encrypt some of the data stored in my Android SQLite database, and I wonder what my options are if i want a lightweight option? Is SQLCipher still the best if speed is priority?
IMHO, SQLCipher is still an optimal solution. It provides AES 256 bit encryption which is pretty good.
Related
I have an application that stores its data and test results in a SQLite database on either and Android or ios phone.
Is it possible to secure this data so that only the application can access it or is the data open to anyone (that knows how) to go in and make changes to the database?
You could look into encrypting your db. There are libraries like SQLCipher you could look into.
Since the database is just a file in SQLite, if other apps can't access that file you're good.
If you mean accessing it by tinkering with the filesystem, it's definitely possible on Android, unless you encrypt the file. On iOS it's a bit more difficult, but on a jailbroken phone it's entirely possible as well.
You'd want to research SQLite encryption libraries, but these are different on iOS and Android. If you want a common approach, encrypt the file and decrypt it before access.
SQLCipher is a popular library for encrypting your db on Android.
You should definitely enable Proguard as well if you're worried about modifications to your app.
Is the data open to anyone (that knows how) to go in and make changes
to the database?
Yes:
Jailbroken iPhone,iPad.
Rooted Android device.
Is it possible to secure this data so that only the application can
access it?
Not really but you can make it harder to leak through encrypting all the sensitive informations. Note: Do not use an opensource Encryption/Decryption chances are that the hacker also knows about it and it will be used againts you. Implements your own Encryption and Decryption instead if you have time.
Is it possible to encrypt the whole database? I'm currently using AES 256 ECB encryption for field level encryption. I need to know if there is any good option for encrypting the whole database.
Maybe this is what you are looking for:
SQLCipher is an SQLite extension that provides transparent 256-bit AES
encryption of database files.
Source: Android database encryption
You can also encrypt database with different available standard library.
we used below library it works very good..
One of them is : https://github.com/sqlcipher/sqlcipher
For Specific to Android : https://github.com/sqlcipher/android-database-sqlcipher
I'm working on an Android project that utilizes Couchbase-Lite (1.1.0) and the requirements are that all data (the documents themselves and any Couchbase attachments) is encrypted prior to storage.
I had originally envisioned encrypting the entire database file using something like SQLCipher, but I haven't been able to find a straightforward implementation for that (I know that the Couchbase-Lite implementation for iOS uses this approach, but the Android build is a bit behind), so instead my plan is to encrypt the documents (the JSON representation) and the attachments (the stream) before saving them into Couchbase-Lite database.
My questions:
What are the recommendations for this kind of encryption? What methodology / libraries? I assume AES-256, but should I build it myself or utilize a 3rd party library (any suggestions)?
What's the best way to maintain a passphrase within the device that is more secure than hardcoding it within the app (which is really, really bad)?
Has anyone seen something similar to this (my googling ability has left me high and dry) that could point me to a similar use case?
Thanks!
Use an existing AES library. Either use CBC mode with an HMAC to check authenticity, or a self-checking mode like GCM. Not all libraries have GCM since it is more recent.
Write the passphrase on a piece of paper and keep it in a locked drawer. That is unhackable. Type it in when needed. Clear the memory immediately after you have finished using it. Alternatively, keep it on a memory stick, and lock that in the drawer. You will still need to clear the memory. Change the passphrase regularly. Yes, this does mean decrypting the entire database with the old key and re-encrypting with the new key. Allow time in your daily/weekly/monthly/whatever schedule to do this. Just before a backup is good. Keep the old passphrase securely offline, in a safe perhaps, in case you need to rederive the key to recover an old backup.
Look at a good Key Derivation Function like HKDF (from RFC 5869) to derive the actual key from your passphrase.
This is crypto, and it is complex. It has all been done before, so you need to stick to tried and tested methods.
I want to develop a simple encryption application for android. Which algorithm should I use to encrypt all data types such as images, office documents, multimedia, etc and why its a good one?
Does AES covers all types of data ?
AES can encrypt any data that can be represented as a sequence of bytes, so it can encrypt all types of data.
AES has been through a great deal of testing, and nobody has broken it yet. Pretty much every encryption library will include AES, including both Bouncy Castle and Spongy Castle for Android. AES is the standard and is your first choice, unless you have specific reasons for not using it.
Use it in either CBC mode with PKCS7 padding or CTR mode. Yes, if you don't know you will need to learn a bit about block cypher modes and cryptographic padding.
For authentication, if you require it, either use HMAC-SHA256 or GCM mode, which includes authentication.
Yes, I believe you can encrypt everything you want with AES. Just treat all data types as a stream of bytes. No problem here.
Can anyone kindly tell that can we use Hadoop and any NoSQL database like MongoDB tec with Android instead of SQLite. And if yes then how to do that (I mean what is the process to do so), because SQLite is embedded in Android and for MongoDB etc will we have to use separate Server etc or it can be used as embedded.
And which DB is better to use SQLite or MongoDB
Hadoop itself is very resource intensive. It is developed for large cluster of machines not a single mobile device. Added to that the strength of NoSQLs is also the large cluster of machines that can process them. If you have such limited in storage and processor power machine as mobile device you will suffer a great overhead.
Maybe it will be possible to set Hadoop and NoSQL, but you will have to pay orders of magnitude in performance. I strongly suggest you do not do that - better start off learning traditional SQL.
In cases, when relational databases will do, hadoop and NoSQL solutions are usually inferior solutions.
Usually scalability and fault tolerance are put in their DNA in expense of performance and efficiency.
So I would not recommend trying these solutions in cases when your load / data volumes requires scale out to clusters.