I am developing an android application that contains a database previously encrypted SQLCipher in the "assets" directory. This SQLite database is copied from the directory "assets" to the application data directory.
The application makes use of SQLCipher to decrypt and access the data from the database, but the problem is that the key to the database is stored in a String, which, if someone decompile the APK file can be obtained the key.
Is there any way to protect the key to not be able to get that key to decompile the APK?
PS If you do not understand me, do not write well in English, because I am Spanish.
We provide some guidance on key material and selection here for SQLCipher, please note that hardcoding a key in application code is not suitable for any secure implementation.
Related
I have a SQLite DB that I include with the APK. DB is under Assets folder and is copied over to a folder on internal storage.
Everything works fine, however I have security concerns regarding the DB.
More specifically someone copying and opening my DB file.
How would one go about securing the DB file?
You could encrypt the database if you wanted to, but then you would need to include a key in your program to decrypt it. Here is one easy to use product SQLCipher.
At the end of the day, the best you can do is make it harder for the DB to copied off the phone and read.
I am writing an app for my final year project, so it's more so for proof of concept so it doesn't have to be the best app in the world.
It is like a file locker app that you can add and remove files from the app and when they are stored they will be encrypted. There will be a login of some sort for the user to enter and be verified on a DB.
I am still a novice in android so I still have a way to go, but I am getting there!
I was thinking when the file (which could be a doc, pdf, jpg, video file etc) is added to the app it would be stored in the internal storage (from what I have read it seems to be the best place to store app related content) and a record of the name and file type would be added to the DB and also the encrypted file name. So when the user looks at the app they will see a thumbnail of the pic and the file name, kinda like the My Files app shows up files within a folder.
My question is it best not to store the file directly into the DB but just use the DB as a reference with the file details, if so how could this be done?
Also I was thinking that an AES 128bit encryption method would be best suited for this. I have tried a couple of encryption examples but have only been able to do this with a txt file, when i tried it with a jpg the app just sat there and did nothing. It showed the encrypted and decrypted jpg but this was not viewable.
Would anyone be able to suggest a good way of encrypting any file type that would suit for my app?
Any help would be greatly appreciated!
Cheers,
Owen
If you want to do this properly, here are a few tips:
Don't store files in the database, unless you know in advance that they're going to be really titchy. Store them somewhere else, with a reference to them in the database.
The best place for them if they're smallish is internal storage in the app's private file space. But if you want to be able to store encrypted arbitrary data then you'll need to hit external storage.
Don't store the decryption key!
Ideally, you should find a way not to write the file anywhere when you decrypt it. That might not be possible, though, if you need to open it in another application afterwards. If you write the encrypted files to external storage, you should at the very least write the decrypted version to internal storage where there's some operating system protection against other apps reading it. If you write the decrypted file to external storage, anything will be able to get at it.
AES with a 128-bit key will do you fine.
I want to store media files in an external storage creating a folder . The folder is secured using a password and accessible by my app only. The user is allowed to create its own password. Any suggestions how to do this??
I don't think your approach is possible. Maybe you should think about encrypting the file contents, so that only your app will be able do access the actual content after decryption.
Encrypting files is not a solution! This only creates potential file loss and problems later. Also, it is slow and you rely on the app that encrypted the files to unencrypt them later. What if that app dies or is not longer available? You have lost your files.
External storage such as the SD card has no permissions associated with it. The closest you could do is to store your data in some encrypted form and as per requirement you can decrypt it also.
This is the link for how you can encrypt and decrypt your file.
is it possible to encrypt the sd card folder r not please help me
if it possible , what is the processor of encryption and decryption
not possible , let me know what can i do for folder security in android sdcard
My file is here :/mnt/sdcard/image1.jpeg.
So How to encrypt this file in android please help me
and Android encryption support MBs r not
is it possible to encrypt the sd card folder r not please help me
Only by modifying the operating system and creating your own custom ROM.
not possible , let me know what can i do for folder security in android sdcard
If your objective is to allow the user to defend against other people stealing the user's data, you can encrypt individual files as part of how you store them. For example, you could use SQLCipher for Android to encrypt a SQLite database that you put on external storage.
If your objective is to hide data from the user, that is implausible. Your encryption algorithm and key will be in your app, which anyone can examine and use to get at the encrypted data. If you do not want users having access to certain pieces of data, do not put that data on the user's device.
Yes, you can encrypt and decrypt the files and folders in your sd card using java libraries. You can implement through javax.security package.
Below is the sample of Encryption and Decryption in java
Example 1
Example2
Example 3
Example 4
Take a Look at this Example
I'm looking at this page, which explains how to use a database in the local Android project (in Assets), to populate the application standard database (managed by Android, in data/...) like this. In this way all the data in the assets database are readable in the apk freely, right?
This is not a good way to store data if in the database there is personal info or certificates.
What is the best way store big info data in assets db and personal data in res/xml or res/values? Is there a recommended way to store personal data?
APK files in Android are world-readable by default, so storing sensitive data in there is not a good idea. On JellyBean and later, the app can be forward-locked (aka 'app encryption') which will ensure that your private assets cannot be read by other applications. This is done automatically for paid apps.
The best way would be to not store the data in the APK but download it on first install. You can use Google Play expansion files, which require authentication to download or come up with your own solution.
You could store them in some encrypted form and then decrypt them on first run, but then you will have key management issues.
As luck would have it I was reading about this today. The Android Dev guide suggests that you use internal storage for private data as it is inaccessible to other apps or the user. See http://developer.android.com/guide/topics/data/data-storage.html#filesInternal
I hope that helps.