I have a sqlite database in my app which I don't like others to extract and use it without my permission.
If this is impossible, can I use another DMS (instead of sqlite) which has this possibility?
is there any way to have an encrypted sqlite database?
You can help the user defend the user's data via something like SQLCipher for Android.
I have a sqlite database in my app which I don't like others to extract and use it without my permission.
An encrypted database, whether SQLCipher or otherwise, will not block access to the data. Your passphrase for the encryption will have to be in the app. That passphrase can be found by reverse-engineering your app. While you can use tools like DexGuard to try to make reverse-engineering more difficult, if somebody is interested in the data, they can get to it.
Related
I want to secure my sqlite database.
I searched a lot but ended up with the suggestions of using SQLCipher.
Is there any new advancement in this field other than SQLCipher?
Please suggest.
If you don't want to use SQLCipher, One thing you can do is encrypt your data before storing it in the database and decrypt it at runtime when populating it.
You can use a encryption key that you can store on Firebase and retrieve it from there at your app startup, this will add another layer of security to your encryption because the key will not be exposed inside the app if someone decompiles the app.
I'm securing my database on my own, procedure is following:
ORMLite used as ORM (platform independent ORM over SQLite)
All sensible data stored in BLOB's
BLOB's secured using standard encryption technique, e.g. com.madgag.spongycastle works well under Android
I am trying to compile SQLite (enable SQLITE_HAS_CODEC) with encryption/codec such as the one found in wxSQLite or Libtomcrypt, so that the result build will provide an encrypted SQLite database.
But since Android security model implements a secure sandbox policy in which no app can read other apps data, will the resulting SQLite (build with encryption) work with all apps transparently and avoid secure sandbox policy, or you need to configure each project separately so that it can save encrypted data to SQLite?
I mean will it encrypt data coming from all apps to be stored in SQLite database, or it will be applicable only for one project that need to be configured for.
Thanks.
I am trying to compile SQLite (enable SQLITE_HAS_CODEC) with encryption/codec such as the one found in wxSQLite or Libtomcrypt, so that the result build will provide an encrypted SQLite database.
I would recommend that you use SQLCipher for Android, which has done all of this for you.
will the resulting SQLite (build with encryption) work with all apps transparently and avoid secure sandbox policy
No.
You could create your own ROM mod that replaces standard SQLite with your encryption-enabled one. However, no apps will actually use the encryption, because they will not be asking the user for a passphrase and using it. And while you could then say that you will use a hardwired passphrase, then you are adding no security, because anyone could go grab that passphrase and then use it to decrypt the databases.
or you need to configure each project separately so that it can save encrypted data to SQLite?
Yes, and more importantly, each project will need to ask the user for a passphrase.
You can write your database to the SDcard/external storage, and thus other apps can read it, if they know the path. Or you can provide a lib that does it.
My App has an already existing Database. With "already existing" I mean that I don't create a Database in my App, I just connect to it and read the data.
To setup the connection I use SQLDroid.
Now I want to know is there any possibility to encrypt my Database with SQLDroid? Otherwise my Database is unencrypted and anyone could read the data.
I already tried to work with SQLCipher, but there is the problem that I have to create my Database in my App what I'm not doing...
I know that there are possibilities to work with an online App (-> database is on a server), but this is no solution in my case, because I have to make an Offline-App.
I'm glad about every idea.
Thank you.
Otherwise my Database is unencrypted and anyone could read the data.
You cannot hide data from the user of the device. Even if you encrypt the data, you would have to have the decryption key in your app, which can be found without much effort.
Using encrypted databases (e.g., SQLCipher for Android) to allow the user to defend the user's data against other people is perfectly reasonable.
That being said, SQLDroid would need to be ported to use SQLCipher or some other encrypted SQLite engine. I see no evidence that this work has been done.
Hello I have an android application. In my app I have a SQLite database stored on the device that should be synchronized with a MySQL database stored on the server.
Now I have to retrieve a list of IDs. I can do it querying the SQLite database or the MySQL database. I chose to use the SQLite database because it'd be much faster and easier considering what I have to do. But now I was thinking about it and I have a question: Are the android SQLite database files safe? I mean is there a possibility that someone access these files and modify information inside them or are they hidden to users?
Because if I ask information from the server I'm sure that it is safe, instead I don't know the security level of android databases.
Let's suppose that each ID corresponds to an application ID I paid for (for example application 3 and 5). When I find a way to modify the android database and so adding also application 7 and 8 it would seem to the device that I've paid also for these applications instead I didn't and I can't use them. That's why I was thinking to query the MySQL database, because the user can't modify it, but this way it's gonna be slower. What do you think?
Ideally data stored in your apps private /data directory would be private, but if someone roots their phone they have unfettered access to it. Its best to design based on the assumption that your on-phone database is unsafe without encryption and even then it's still possible that users can try to break in.
With a rooted device, a user could easily add / remove / modify existing records in the database.
One thing you could do, is compute an MD5 hash of the rows in your DB and compare it against a hash you have stored on your MySQL server for that particular user before accepting the "paid" values of your local cache database. This approach may or may not be acceptable to you because obviously it requires an internet connection.
Please check these option too, they might help anyone who want to secure the database.
SQLCipher for Android
1- android Sql3 wrapper library
2- libsqlite3_jni.so
also please read the article below are make your search on the option above, i hope this would help much.
http://www.findbestopensource.com/product/sqlite3-android
Note:
you can secure your device fully as if the device will be rooted by anyone. So use some other secure way like secure the database with 2 factor authentication and password protected.
In case someone rooted your device at least you should have some password protected file .
I'm developing an application which will be storing user sensitive data. My issue is using other applications that a user can view that stored data with. Then I need to provide better security for the data in general.
Is there any way to provide better security for SQLite database and tables?
Encrypt your data before you enter it in the database. As far as I know, the SQLite database is kept in a single file somewhere in the /data/ directory. What is more, your data is kept in plain text format. This means that it will always be possible for someone to extract that data by rooting the phone, obtaining the .db SQLite file and opening it with a text editor.
So, encrypt your data :)
--
Okay, maybe not a text editor, but a simple hex editor. Anyways...
Check out SQLCipher for Android. It's free (Apache 2 and BSD licences).
PS.: Some ORMs also support SQLCipher now, e.g. our greenDAO.
The author of sqlite offers a version that encrypts data. It's not free though
You could encrypt the data using a user specific salt retrieved from your server. That way, even with root access you would need the users salt to decrypt the database. Since you have control over the salt you provide an extra layer of security, however, your user will always need a network connection to access their data.
why are you keeping sensitive data on the phone? If its sensitive, why not send it back to the server where you have control over things. If the user roots their phone, they can basically do what they want. Other than that, encrypting like Shade mentioned would probably be your only option...
Good way to protect the the Database is to use the password Protected database and you can create it by using
1- android Sql3 wrapper library
2- libsqlite3_jni.so
also please read the article below are make your search on the option above, i hope this would help much.
http://www.findbestopensource.com/product/sqlite3-android