I am using SQLite database in my application. I want to make my SQLite database password protected.
HWACI (the commercial arm behind SQLite development) provides (for money) an encryption engine called SEE. It's quite painless to integrate this in if you are building your own SQLite source, and it's also very easy to use.
SQLCipher is an open source alternative to SEE. I've never used it but I would expect it's as easy to integrate and use as SEE.
As far as I know: no, you can't do it in a simply way.
Posible choices:
-You could simply encrypt the data you want to be secure when inserting it and decrypting the values when you want to play with them. In my opinion this is the best choice.
-You could encrypt the db file in your app's folder. And decrypt it every time you want to access it (not very recommended).
Also note that your DB file is stored in your app's private directory, so in most terminals (except for rooted ones) neither the user nor other apps will have r/w access.
EDIT: For the first choice, I recommend you to take a look to mah's answer if you don't want to implement your own encryption methods =)
Related
I read many tutorial and topic about this about SqlCipher , but I didn't understand what should I do exactly!
I have ready database in my assets folder . My database contains about 4 tables and 5000 records .I want to make it more secure.How I can do it ? Could somebody help me with this problem ? As I am novice with android , I need step by step solution . At the moment I use sqliteasset.SQLiteAssetHelper library to read database from assets folder.
Do not waste development time on encryption of client-side data - the data which should be accessible by the application in unattended manner (i.e. decrypted by application without user's input of any kind of password).
Here is an explanation of my statement:
Lets assume that you managed to protect(encrypt) your database by some encryption key and application upon startup should read all encrypted data.
It means that your application should have built-in key required for the decryption.
And any person with minimal reverse-enginering knowledge can extract both key and the database from your apk file and decrypt it.
When you design security mechanism to protect the data one of the first questions which you need to answer is:
How much time adversary will need to spend to open the data?
If your answer is something like "It will require 10,000 years to brute force my protection" then your protection is probably ok.
But right now you are trying to implement security through obscurity and it newer works.
Determined person can easily extract encryption key from your own code and decrypt your database in almost no time.
When you design client-server architecture there is only one way to protect trade secrets - place everything sensitive to the server side.
If your client-side application relies on some business sensitive information (like calling some paid APIs with your own API key) then your application has design flaw.
If your application relies on information which is not business sensitive then it does not make sense to encrypt this information.
I have an application that stores its data and test results in a SQLite database on either and Android or ios phone.
Is it possible to secure this data so that only the application can access it or is the data open to anyone (that knows how) to go in and make changes to the database?
You could look into encrypting your db. There are libraries like SQLCipher you could look into.
Since the database is just a file in SQLite, if other apps can't access that file you're good.
If you mean accessing it by tinkering with the filesystem, it's definitely possible on Android, unless you encrypt the file. On iOS it's a bit more difficult, but on a jailbroken phone it's entirely possible as well.
You'd want to research SQLite encryption libraries, but these are different on iOS and Android. If you want a common approach, encrypt the file and decrypt it before access.
SQLCipher is a popular library for encrypting your db on Android.
You should definitely enable Proguard as well if you're worried about modifications to your app.
Is the data open to anyone (that knows how) to go in and make changes
to the database?
Yes:
Jailbroken iPhone,iPad.
Rooted Android device.
Is it possible to secure this data so that only the application can
access it?
Not really but you can make it harder to leak through encrypting all the sensitive informations. Note: Do not use an opensource Encryption/Decryption chances are that the hacker also knows about it and it will be used againts you. Implements your own Encryption and Decryption instead if you have time.
i want to build a dictionary in C++ and qt and later for android,which will have a word and meaning.the easy option is to use sqlite or mysql like DBMS but i dont want to use them as sqlite is not secure(anyone can open that sqlite database to copy my word-meaning pair) and mysql needs a large installer file to be deployed along with installer.is there any way in which i can store my word-meaning pair in program?or can i store that word-meaning pain in a string array?there are 120000 words and almost 360000 meaning so if i make a string string word_meaning[360000][2]? will it be a problem to load the program?
or using a password protected zip?is it a viable solution?
kindly recommend any other secure and better method
regards
Like MSalters says, there is no way to make it guaranteed unbreakable, but you can make it pretty hard. And if you make it hard enough to break your security so that it is not worth the effort then you are secure enough.
You have a trade off between programming complexity and security.
The most secure that I can think of is putting the database on your own server and have your app query the server. That way no hacker has access to your database. But perhaps you also have a need for high performance when looking through the dictionary or you don't want your game to need internet.
The next thing I can think of is to place an encrypted text file with the word-meanings in your app's assets directory. Your app will contain the key to decrypt the text file and a hacker would need to decompile your app and find the key before he can decrypt the file to steal your dictionary.
Hope this helps.
I'm trying to create some sort of backup & restore function in my app. Before that, I've been reading for a while to understand if it's possible to achieve, but I found out this question:
Sqlite DB Android Backup/Restore
The only other way I could see to do it, would be to read the actual contents of the DB and generate a file containing the SQL which which it can be restored from, this is obviously a more complex and doesn't offer any advantages to justify this complexity.
This answer, I think, is the best way to accomplish that; not explorting the .db file, but exporting queries.
You know; when you export a SQL data from mysql, you get a file which contains all the queries that creates the structure and queries that fill the structure with data.
That's what I'm trying to mimic; generate a file which contains sql queries from a .db file.
Do you guys think it's possible, I mean, is there any builtin method to achieve that?
Otherwise, if its too hard to handle, how do you manage to avoid what this user (https://stackoverflow.com/a/10842043/1943607) is talking about?
So, I disabled WAL with "PRAGMA journal_mode = DELETE" and then I was able to view the database in the browser and able to restore it on my test device fine.
That previous part, I can't understand it. Is this a configuration you set to sqlite?
Thanks
I haven't actually tried this with sqlite, but with mysql you could do things like create "dumps" of your database. Those dumps contained exactly what you describe: a set of queries that, when executed together, recreate the database, including the contents.
Judging from the "sqlite3" documentation found at http://www.sqlite.org/sqlite.html (especially the "Converting An Entire Database To An ASCII Text File" section), you can do the same for sqlite. Since you can execute shell commands from a java application (using Runtime.getRuntime().exec() methods), and you are the "owner" (Linux user id) of the database, you should be able to run this "sqlite3 .dump" command even on a non-rooted device. I have never seen an Android device without the sqlite3 tool installed, so the command should always be available.
Moreover, since dump file is just a text file, you should be able to prepend any PRAGMA's to it that are required for compatibility (like the one you quoted).
I haven't tested any of this, but just wanted to think with you on this interesting topic.
An sqlite database is just a file so you could copy the file but I think you may have problems with permissions in android preventing you from accessing the database.
A better solution IMO would be to sync your data to an external website.
Using a combination of a custom sync adapter and the account manager with a website or web service that has a RESTfull api to receive and send the synced data would be the most reliable approach.
http://developer.android.com/training/id-auth/identify.html is a great introduction to setting up the account manager.
And for a custom sync adapter this is a great starting point.
http://www.c99.org/2010/01/23/writing-an-android-sync-provider-part-1/
and http://www.c99.org/2010/01/23/writing-an-android-sync-provider-part-2/
And finally an explanation of how it all fits together
https://sites.google.com/site/andsamples/concept-of-syncadapter-androidcontentabstractthreadedsyncadapter
The above approach would enable a user to switch phones and retain data at the same time and the data would always be up to date (providing you sync at the appropriate times.
It seems like a lot of work as you will need to set up a web service but it is the BEST way to make sure data is kept safe and secure and can be restored and backed up at any point.
For a web service there are lots of options available to you including cloud services such as Google docs or writing your own website. Ruby on Rails is a great solution for developing your own site as you get a full RESTfull api out of the box and it;'s dead easy to secure/lock down a rails site to authorised users only with a couple of lines of code and with Heroku you can get free hosting.
As usual with Android development the simplest of requirements actually ends up being the most difficult to implement but where data safety is paramount then it's worth the effort to do it properly.
The question is too open to answer simply because the changes that may apply to the db file content are open and one can't guarantee a specific behavior .
On the positive side sqlite project is an open source and the format of the DB file is specified Here
After taking a look there, it seems very possible/not too complicated to parse any DB file looking for Data Only and write it/dump it to another functional db file.
I believe this is the fastest and cleanest solution to the issue in hand.
so to wrap up:
Copy DB file everytime you want to back it up.
When you want to restore create a new DB using Android APIs.
Parse the data from the backed up file and write them to the newly created DB.
P.S:
regarding how to use
PRAGMA journal_mode = DELETE
Simply use db.exec("PRAGMA journal_mode = DELETE"); when creating the DB
I'm currently developing an Android game which saves data into a SQLite database. This is not really "sensitive" data, but I don't want users to be able to modify it (for obvious reasons of game balance, as it would be cheating). And it's quite easy to access and modify a SQLite db when your phone is rooted (there are plenty of applications for that in the market).
So should I even worry about that, or consider users with a rooted phone can do whatever they want including cheating and that's their choice? Or could I somehow encrypt the data I don't want them to modify, or add a MD5 checksum or something similar?
Another approach would be to abandon SQLite altogether and use some kind of binary files with game data.
Please let me know if some of you already encountered similar issues, and what are the approaches you followed, as well as the "good practices" in the Android gaming development community.
Thanks.
Root access for everybody and security are mutually exclusive.
Any application or user with root permissions can read and modify each and every file on your system, as well as all of the main memory. That doesn't leave many places to store a potential encryption key for the database.
You could hide parts of the key in the executables, configuration files etc, but everything you could come up with would be nothing more than obfuscation and security by obscurity.
If a user opts to grant root access to everybody, that's their decision, and it's not your job as an app developer to prevent any harm that might be caused.
Update:
Storing API keys in Android, is obfustication enough? is a pretty similar issue - it's about protecting API keys, but it's the same situation with regards to your options.
sqlcipher for Android might help here.
https://guardianproject.info/code/sqlcipher/
I think based on your requirement the best method is using consistency of data,
for example MD5 the score and time, then put score and time and MD5 in to the table, then every time wanting to use that row of DB check the MD5 of the score and time if the one in DB and the one which calculated are same, the row is consistent otherwise it was hacked!
You may find your happiness on Preferences Files Look here