My App has an already existing Database. With "already existing" I mean that I don't create a Database in my App, I just connect to it and read the data.
To setup the connection I use SQLDroid.
Now I want to know is there any possibility to encrypt my Database with SQLDroid? Otherwise my Database is unencrypted and anyone could read the data.
I already tried to work with SQLCipher, but there is the problem that I have to create my Database in my App what I'm not doing...
I know that there are possibilities to work with an online App (-> database is on a server), but this is no solution in my case, because I have to make an Offline-App.
I'm glad about every idea.
Thank you.
Otherwise my Database is unencrypted and anyone could read the data.
You cannot hide data from the user of the device. Even if you encrypt the data, you would have to have the decryption key in your app, which can be found without much effort.
Using encrypted databases (e.g., SQLCipher for Android) to allow the user to defend the user's data against other people is perfectly reasonable.
That being said, SQLDroid would need to be ported to use SQLCipher or some other encrypted SQLite engine. I see no evidence that this work has been done.
Related
I have to develop an app both for iOS and Android. This app uses a small sqlite database with sensitive data, and depending on the user's input, it makes some process with this data. After this process is made, the database is no longer accessed unless the user has to enter a new input (it's not probable that this happens).
Since the database has sensitive data I have to protect it. I know is impossible to get a complete protection but I would like to make life harder for a possible attacker.
And since I don't know too much about security I'm not sure what would be the best alternative taking into account "difficulty / security".
I've thought in two alternatives:
1) Include the database in the apps and encrypt or obfuscate it.
But I guess it wouldn't be very difficult to get the database with a rooted Android.
2) Have the database stored in a server, each time the user enters the input the app downloads the database, the process is made and after that I remove the database from the app.
But the process takes 5-10 minutes and maybe this time is enough to get the database from the app, so I would have to add the same protection as in 1) plus a protection in the server.
Which would be the best option (difficult / security)? There would be any other options?
I've tried several Google searches but I'm confuse with all that information and I would like to try with the huge acknowledge of this community.
UPDATED:
Well, reading your answers I'm inclined to have a backend and not download the database to the app. It's not the preferred solution of the client, but it seem is the best by far so I'll try to convince it.
Anyway, due to the type of process the app has to do I'm not sure if it's possible with a backend.
Since it's a complete different question I would like to ask it in other thread: https://stackoverflow.com/questions/29942688/remote-sqlite-queries-from-app
NEW UPDATE:
I keep thinking in this and I don't find a good solution because the process is too complex. I've thought in something I would like to know if it's possible or if it has no sense (sorry but I don't know too much about backend development).
SERVER -> my sqlite database & PHP web services
DEVICE -> a txt file with user inputs (20MB)
Device: In the device the txt file is compressed (10MB)
Device: The app send the txt file to the server via POST web service.
Server: This txt file is stored in the server.
Server: This txt file is decompressed.
Server: This txt file is loaded into a new table InputTable inside my sqlite database.
Server: A new table UserFinalDataTable (almost 10000 rows) is created making lots of queries using InputTable and the rest of my database.
Server: UserFinalDataTable is converted into JSON and sended back to the device as the response to the web service called in step 2.
Device: The app receive this JSON and converts it to something useful for the app.
Is this possible or any (if not all) of the steps is impossible to achieve?
The most secure and reliable way is to store the database on your server encrypted with a symmetric encryption algorithm. Better yet if you also use an asymmetric encryption algorithm on top of that, if possible with some sort of forward secrecy, in case your server gets hacked. It all depends on what degree of security you want to achieve.
Another way would be to store the database on the device with the server's encryption key, when needed send the database to your server for decryption and return the decrypted output. Although this doesn't make sense in most situations, especially yours.
Neither. The most secure way is to keep the database on the server and access it only by webservice, with proper account authentication. If you send any data at all to a client, a sufficiently motivated attacker will get it. In the case of a whole database file, it would be trivial to root the device and read it. And if you encrpyt it, SQLite won't be able to read it (not to mention the decryption key would be local so easily reverse engineered).
The most secure strategy you say....backend server with a db and web service.
Use SQLCipher to encrypt your db.
It works either on iOS and Android
i have an app that has about 20000 data . these data are locally is beside app in sqlite database. i couldn't place data on web because i using map and markers and i feel will be slow in processing. so i have to use local data instead of web.
how can i secure these data in android? additionally i have any web request to a webservice and web database for other works. how can secure sent or received data? i hear about sqlcipher but i don't know how does it encrypt and secure my data. if you can tell me about secure best practices please.....
with thanks...
Just some ideas.
To secure android data in the SQLite database the only and best way is to ask the user to create a password. This password will be used to encrypt data before you store it in SQLite database. Thus if someone steals device they cannot even with root access read the data in SQLite database.
For web services use SSL certificates to encrypt data flowing up and down. This is a rather big topic though. If you are serious about this I would suggest buying a copy of this book called Application Security for the Android Platform: Processes, Permissions, and Other Safeguards .
I have a sqlite database in my app which I don't like others to extract and use it without my permission.
If this is impossible, can I use another DMS (instead of sqlite) which has this possibility?
is there any way to have an encrypted sqlite database?
You can help the user defend the user's data via something like SQLCipher for Android.
I have a sqlite database in my app which I don't like others to extract and use it without my permission.
An encrypted database, whether SQLCipher or otherwise, will not block access to the data. Your passphrase for the encryption will have to be in the app. That passphrase can be found by reverse-engineering your app. While you can use tools like DexGuard to try to make reverse-engineering more difficult, if somebody is interested in the data, they can get to it.
Hello I have an android application. In my app I have a SQLite database stored on the device that should be synchronized with a MySQL database stored on the server.
Now I have to retrieve a list of IDs. I can do it querying the SQLite database or the MySQL database. I chose to use the SQLite database because it'd be much faster and easier considering what I have to do. But now I was thinking about it and I have a question: Are the android SQLite database files safe? I mean is there a possibility that someone access these files and modify information inside them or are they hidden to users?
Because if I ask information from the server I'm sure that it is safe, instead I don't know the security level of android databases.
Let's suppose that each ID corresponds to an application ID I paid for (for example application 3 and 5). When I find a way to modify the android database and so adding also application 7 and 8 it would seem to the device that I've paid also for these applications instead I didn't and I can't use them. That's why I was thinking to query the MySQL database, because the user can't modify it, but this way it's gonna be slower. What do you think?
Ideally data stored in your apps private /data directory would be private, but if someone roots their phone they have unfettered access to it. Its best to design based on the assumption that your on-phone database is unsafe without encryption and even then it's still possible that users can try to break in.
With a rooted device, a user could easily add / remove / modify existing records in the database.
One thing you could do, is compute an MD5 hash of the rows in your DB and compare it against a hash you have stored on your MySQL server for that particular user before accepting the "paid" values of your local cache database. This approach may or may not be acceptable to you because obviously it requires an internet connection.
Please check these option too, they might help anyone who want to secure the database.
SQLCipher for Android
1- android Sql3 wrapper library
2- libsqlite3_jni.so
also please read the article below are make your search on the option above, i hope this would help much.
http://www.findbestopensource.com/product/sqlite3-android
Note:
you can secure your device fully as if the device will be rooted by anyone. So use some other secure way like secure the database with 2 factor authentication and password protected.
In case someone rooted your device at least you should have some password protected file .
I'm developing an application which will be storing user sensitive data. My issue is using other applications that a user can view that stored data with. Then I need to provide better security for the data in general.
Is there any way to provide better security for SQLite database and tables?
Encrypt your data before you enter it in the database. As far as I know, the SQLite database is kept in a single file somewhere in the /data/ directory. What is more, your data is kept in plain text format. This means that it will always be possible for someone to extract that data by rooting the phone, obtaining the .db SQLite file and opening it with a text editor.
So, encrypt your data :)
--
Okay, maybe not a text editor, but a simple hex editor. Anyways...
Check out SQLCipher for Android. It's free (Apache 2 and BSD licences).
PS.: Some ORMs also support SQLCipher now, e.g. our greenDAO.
The author of sqlite offers a version that encrypts data. It's not free though
You could encrypt the data using a user specific salt retrieved from your server. That way, even with root access you would need the users salt to decrypt the database. Since you have control over the salt you provide an extra layer of security, however, your user will always need a network connection to access their data.
why are you keeping sensitive data on the phone? If its sensitive, why not send it back to the server where you have control over things. If the user roots their phone, they can basically do what they want. Other than that, encrypting like Shade mentioned would probably be your only option...
Good way to protect the the Database is to use the password Protected database and you can create it by using
1- android Sql3 wrapper library
2- libsqlite3_jni.so
also please read the article below are make your search on the option above, i hope this would help much.
http://www.findbestopensource.com/product/sqlite3-android