Team,
I have an Android application with large SQLite database this data costs me lots of money and I don't want to let anybody have it easily.
This database come to me as databse.sqlite file and I shipped into into the APK assets.
is there anyway to encrypt this database before shipping and then decrypt while reading the data ?
P.S I searched for this a lot and all of my results point me to use sqlcipher but this lib does not work with shipped SQLite database file.
The problem is that you will need to store the key (or location of the key) somewhere in your code and deodexing the application doesn't take that much effort. Unfortunately, you can't really prevent anyone from accessing the data. You can only make it harder, but it will still be pretty easy for someon who is really determined.
The best solution would be to store the database on a server and only send the data the user actually needs to the device. That way you have at least some control over what data a device requests.
Related
I read many tutorial and topic about this about SqlCipher , but I didn't understand what should I do exactly!
I have ready database in my assets folder . My database contains about 4 tables and 5000 records .I want to make it more secure.How I can do it ? Could somebody help me with this problem ? As I am novice with android , I need step by step solution . At the moment I use sqliteasset.SQLiteAssetHelper library to read database from assets folder.
Do not waste development time on encryption of client-side data - the data which should be accessible by the application in unattended manner (i.e. decrypted by application without user's input of any kind of password).
Here is an explanation of my statement:
Lets assume that you managed to protect(encrypt) your database by some encryption key and application upon startup should read all encrypted data.
It means that your application should have built-in key required for the decryption.
And any person with minimal reverse-enginering knowledge can extract both key and the database from your apk file and decrypt it.
When you design security mechanism to protect the data one of the first questions which you need to answer is:
How much time adversary will need to spend to open the data?
If your answer is something like "It will require 10,000 years to brute force my protection" then your protection is probably ok.
But right now you are trying to implement security through obscurity and it newer works.
Determined person can easily extract encryption key from your own code and decrypt your database in almost no time.
When you design client-server architecture there is only one way to protect trade secrets - place everything sensitive to the server side.
If your client-side application relies on some business sensitive information (like calling some paid APIs with your own API key) then your application has design flaw.
If your application relies on information which is not business sensitive then it does not make sense to encrypt this information.
I've been searching a way to implement SQLCipher on my prepopulated database containing more than a million entries. Last three months is the time I've fully devoted to my project's database and it's now complete which led me to a problem.
My app's database is something that I know will be copied in a week or so and copying database is so easy (just open the apk with WinRAR). And in India, No one cares about copyrights so that'll be of no use.
Basically I want to protect my app's database from copying keeping in mind that app should work offline (that being said no PHP/SQL servers).
I've checked GitHub/Google for it and only thing I've found is SQLCipher by Zetetic. Very same thing on GitHub - Here.
Also, One can import following library now: net.zetetic:android-database-sqlcipher:3.5.2#aar and can use this for securing database but it's something works on databases created by app and not on prepopulated. (lib taken from this answer on SO).
-> Now, for me the million dollar question is Is there anyway by which I can either password protect or encrypt my database without putting the database on any server?
P.S. -> I want to make my app work offline and also, I'm just a student and at least for now, can't afford Zetetic's paid service.
Edit - I've gone through codes of some google apps storing databases for some help but they are just using .out files (easily openable with Word/Text editor) compressed in .gz files which is not something I should use.
implement SQLCipher on my prepopulated database
This is pointless. Anyone who wants to can grab the encrypted database, grab the encryption key out of your app, and decrypt the database.
I want to protect my app's database from copying
Don't put it on the device.
keeping in mind that app should work offline
Depending on the nature of your app, you might be able to cache bits of data for offline use, for reduced functionality while offline.
A simpler solution is to not worry about the fact that the database may be copied. To paraphrase Tim O'Reilly, your problem is not security but obscurity.
I have an application that stores its data and test results in a SQLite database on either and Android or ios phone.
Is it possible to secure this data so that only the application can access it or is the data open to anyone (that knows how) to go in and make changes to the database?
You could look into encrypting your db. There are libraries like SQLCipher you could look into.
Since the database is just a file in SQLite, if other apps can't access that file you're good.
If you mean accessing it by tinkering with the filesystem, it's definitely possible on Android, unless you encrypt the file. On iOS it's a bit more difficult, but on a jailbroken phone it's entirely possible as well.
You'd want to research SQLite encryption libraries, but these are different on iOS and Android. If you want a common approach, encrypt the file and decrypt it before access.
SQLCipher is a popular library for encrypting your db on Android.
You should definitely enable Proguard as well if you're worried about modifications to your app.
Is the data open to anyone (that knows how) to go in and make changes
to the database?
Yes:
Jailbroken iPhone,iPad.
Rooted Android device.
Is it possible to secure this data so that only the application can
access it?
Not really but you can make it harder to leak through encrypting all the sensitive informations. Note: Do not use an opensource Encryption/Decryption chances are that the hacker also knows about it and it will be used againts you. Implements your own Encryption and Decryption instead if you have time.
i want to build a dictionary in C++ and qt and later for android,which will have a word and meaning.the easy option is to use sqlite or mysql like DBMS but i dont want to use them as sqlite is not secure(anyone can open that sqlite database to copy my word-meaning pair) and mysql needs a large installer file to be deployed along with installer.is there any way in which i can store my word-meaning pair in program?or can i store that word-meaning pain in a string array?there are 120000 words and almost 360000 meaning so if i make a string string word_meaning[360000][2]? will it be a problem to load the program?
or using a password protected zip?is it a viable solution?
kindly recommend any other secure and better method
regards
Like MSalters says, there is no way to make it guaranteed unbreakable, but you can make it pretty hard. And if you make it hard enough to break your security so that it is not worth the effort then you are secure enough.
You have a trade off between programming complexity and security.
The most secure that I can think of is putting the database on your own server and have your app query the server. That way no hacker has access to your database. But perhaps you also have a need for high performance when looking through the dictionary or you don't want your game to need internet.
The next thing I can think of is to place an encrypted text file with the word-meanings in your app's assets directory. Your app will contain the key to decrypt the text file and a hacker would need to decompile your app and find the key before he can decrypt the file to steal your dictionary.
Hope this helps.
Im using SQLite Storage in my healthcare application.I have some idea of why we are going for local storage
No need of internet connection.
individual Data.
Fast to load.
if we want can take a dump of db in server and can be retrieved.
But, I got some opposite question like
suppose if i lost my phone there is chance to get my personal data from the memory of the device.
kindly help me
You can encrypt the data from SQLite. Either encrypt it on runtime using a custom encryption algorithm, or you can use some APIs for that. The most popular seems to be SQLCipher for Android.