I'm planning to store hashed passwords and PINs using realm. I've been researching on salting, and it's recommended to have a different salt for each password / PIN. Also it's recommended that the salt should be somewhere within the database.
My question is are .realm files secure? Is there a way to guarantee that the contents of the .realm files cannot be opened?
In general you can get the the realm file from the phone (if it rooted) and read it via realm browser (https://github.com/realm/realm-browser-osx). But there are possibility to encrypt the *.realm file. Look at the corresponding section of the documentation https://realm.io/docs/java/latest/#encryption .
Realm files aren't encrypted by default, however realm does support encryption of the files.
You can view the encryption documentation here, and an example implementation here.
You should also read up on the Android keystore, which will allow you to securely store the key.
Related
I read many tutorial and topic about this about SqlCipher , but I didn't understand what should I do exactly!
I have ready database in my assets folder . My database contains about 4 tables and 5000 records .I want to make it more secure.How I can do it ? Could somebody help me with this problem ? As I am novice with android , I need step by step solution . At the moment I use sqliteasset.SQLiteAssetHelper library to read database from assets folder.
Do not waste development time on encryption of client-side data - the data which should be accessible by the application in unattended manner (i.e. decrypted by application without user's input of any kind of password).
Here is an explanation of my statement:
Lets assume that you managed to protect(encrypt) your database by some encryption key and application upon startup should read all encrypted data.
It means that your application should have built-in key required for the decryption.
And any person with minimal reverse-enginering knowledge can extract both key and the database from your apk file and decrypt it.
When you design security mechanism to protect the data one of the first questions which you need to answer is:
How much time adversary will need to spend to open the data?
If your answer is something like "It will require 10,000 years to brute force my protection" then your protection is probably ok.
But right now you are trying to implement security through obscurity and it newer works.
Determined person can easily extract encryption key from your own code and decrypt your database in almost no time.
When you design client-server architecture there is only one way to protect trade secrets - place everything sensitive to the server side.
If your client-side application relies on some business sensitive information (like calling some paid APIs with your own API key) then your application has design flaw.
If your application relies on information which is not business sensitive then it does not make sense to encrypt this information.
I have folder named docFolder located inside download directory of device interval memory. The folder contains lot of files in different format (html,png,jpg etc...).
How can I easily programmatically encrypt docFolder so that users can not open the folder. I also need to decrypt docFolder programmatically so that I can use the files in my code.
Please help.
Having done the research for your use case before, I can help you with my results and findings.
You can use symmetric algorithms for encryption and decryption. These symmetric encryption algorithms are relatively faster and consume fewer resources for computation.
You can read about symmetric cryptosystem here.
You will find lots of Java codes for each algorithm.
You need to ensure that the key used for symmetric encryption is not stored locally as users can Decompile the APK and access the code. For this, you can retrieve the keys for each user from public cloud database services like Firebase, etc.
So instead of encrypting the folder, you can encrypt your important docs and store them in the app's dedicated path.
In general, Other regular apps cannot access your app's dedicated path. Android won't allow that. But the users can browse through them using any file browser.
Read about Data and File Storage in Android here and choose the best suitable method for your use case.
Hope this is helpful.
you can not encrypt Folders but you can encrypt files
take look at
http://www.codejava.net/coding/file-encryption-and-decryption-simple-example
keep in mind encrypting an decrypting is comes with costs of battery usage and time (depends on your file size you might even have lag on app).
you should only encrypt very important,sensitive data
if you don't want users access your file directly, you can store them in sqlite
I haven't been able to find a clear answer to this question, so here it is;
I want to use Realm for Android to store files in an encrypted way, then be able to open/view those files without needing to actually save them in the phone. Those would be sensitive data file so It would be perfect if it stay in the local database of my app.
Is Realm well suited for my case or if not, what else would be for Android?
Realm suits or not. You may need to reconsider.
If you just want to encrypt a database, it is easy. Just give it an encryption key when you init a Realm instance.
However, there are some side effects.
Save big files to Realm will slow it down.
The danger of data corruption. If you database file is corrupted, all data is lost. So you have to backup. That means saving files into Realm will cause your app takes at least twice the size of saving the files in filesystem directly.
The encryption key. You must design an encryption key that basing on each device other than just using one same key in your app. Or someone just needs to copy the database file from another's phone to his own and your app will decrypt the database for him.
You can check out this previous answer for a more deep explanation about saving images on Realm (it's on iOS, but the basics are the same: Don't do it if there's a lot of images.)
In your specific use case, did you consider saving encrypted images on the filesystem and the references for the image in Realm? You just need the file path and the encryption key in the database to work.
I'm working on an Android project that utilizes Couchbase-Lite (1.1.0) and the requirements are that all data (the documents themselves and any Couchbase attachments) is encrypted prior to storage.
I had originally envisioned encrypting the entire database file using something like SQLCipher, but I haven't been able to find a straightforward implementation for that (I know that the Couchbase-Lite implementation for iOS uses this approach, but the Android build is a bit behind), so instead my plan is to encrypt the documents (the JSON representation) and the attachments (the stream) before saving them into Couchbase-Lite database.
My questions:
What are the recommendations for this kind of encryption? What methodology / libraries? I assume AES-256, but should I build it myself or utilize a 3rd party library (any suggestions)?
What's the best way to maintain a passphrase within the device that is more secure than hardcoding it within the app (which is really, really bad)?
Has anyone seen something similar to this (my googling ability has left me high and dry) that could point me to a similar use case?
Thanks!
Use an existing AES library. Either use CBC mode with an HMAC to check authenticity, or a self-checking mode like GCM. Not all libraries have GCM since it is more recent.
Write the passphrase on a piece of paper and keep it in a locked drawer. That is unhackable. Type it in when needed. Clear the memory immediately after you have finished using it. Alternatively, keep it on a memory stick, and lock that in the drawer. You will still need to clear the memory. Change the passphrase regularly. Yes, this does mean decrypting the entire database with the old key and re-encrypting with the new key. Allow time in your daily/weekly/monthly/whatever schedule to do this. Just before a backup is good. Keep the old passphrase securely offline, in a safe perhaps, in case you need to rederive the key to recover an old backup.
Look at a good Key Derivation Function like HKDF (from RFC 5869) to derive the actual key from your passphrase.
This is crypto, and it is complex. It has all been done before, so you need to stick to tried and tested methods.
My question is related to following questions.
Security of Android assets folder
Assets Security in Android
Basically the application which I am making has some mp3 resources which I wanted to secure. So is there library which work on android to encrypt and then decrypt resources especially mp3 files.
Thanks.
Keep in mind that any method of encryption that you use will need storing the key to decrypt the encrypted data. This key will have to be available to your application and thus to anyone who has access to your application. By encrypting the data you change the problem of hiding your data to the problem of hiding your key and there is pretty much no way around it. The most you can do is to make your data harder to read but it can't be made impossible to read, unless you run your application on a trusted computing platform, as I said in my answer to your previous question.