I want to be sure that my app's content is safe. I have a password for encrypted database inside of my app and I just want to figure out if there are safe places in my project which can't be accessed by reverse engineering.
And it would be great if u explain shortly how reverse engineering works. ThanQ.
And plz don't post links to ProGuard!
Any hard-coded value CAN be viewed by reverse engineering your app.
This includes passwords, urls, etc.
In order to reverse engineer an android app, proceed with the following steps:
1- Rename your app's APK file to ZIP (e.g. myapp.apk -> myapp.zip)
2- Open the zip file and retrieve the classes.dex file.
3- Use dex2jar to get a jar file from classes.dex
4- Use jd-gui to open the jar file and view your original code.
Haawa,
If you are storing the password in your app as a static string, it is NOT safe. It is trivially easy to get to it, even if you are using ProGuard. The best way to safeguard it is to not store it at all. Instead, if possible, have your app send a unique identifier of some kind to a server that validates the user (possibly using LVL), then the server hands back a DB password or the actual DB data itself (stored on the server).
If this is not possible, or if you don't have access to your own server, at least obfuscate the string in some way by storing it as a XOR'ed string or better yet, come up with your own function to obsfucate the string. NEVER have a line in your java code that looks like password = "mypass";
In reverse engineering : your .apk file Rename from .apk to .zip file , then abstract zip file and find your folder,
But You can not able for find .class file of your Project
Reverse engineering is more about recreating intellectual property by careful analyzing application's behavior aspects. Regarding security matters, I think, social engineering should be of more concern to you
Others have explained the reverse engineering, so I will explain how you should encrypt the database.
You should encrypt the database using the user's credentials (username and password or PIN) as the key. When the user starts the application, they should be prompted for the credentials. The key should not be hard coded.
This prevents an attacker from accessing the user's data without having the credentials.
If you are trying to hide the data from everyone including the user, yet have the application be able to access it, then you have to store it on the server and only request the data that you're willing to show to the user.
Related
I have a problem. I am using xyz.db file and which is stored in asset folder. I am copying all data from xyz.db to application db which is stored in data/data/com.xyz/abc.sqlite in storage folder. Now I want to secure asset's xyz.db file. Because It can be easily extract from apk by reverse engineering. Please help me to secure my asset folder's database file.
You can perform the following to make it relatively difficult to access data in DB.
Password protected zip file to contain db which at runtime should be extracted.
Encrypt the file with symmetric key and again at runtime decrypt it.
Utilize sqlcipher that performs encryption for Data at Rest.
In both the above cases you will need to worry about storing the password or key. There is no sure shot way to protect the file but the above would require more effort and should be added as basic protection.
There's no final solution to your problem.
Any technique you'll use can be beaten by a determined skilled attacker.
You have to accept that if you want to store database xyz.sql in your apk file and you later want your app to use it, then it will be also possible for someone that reverse your app to retrieve it. Basically just because the plain text information at a certain moment will be available on the phone.
Hope i've been clean enough
Keep security in mind
As usual in Android the access rights of the database file determine who can use your database. If you follow the standard way presented in the following posts of this series, your database file will be located within the private directory of your app. This means that your app owns the database file and no one else can access it. Even using the other less common ways to create the database you can only grant access to the file. Thus others can access all of your database or nothing. There is no middle ground.
Still: You should never rely on data being safe from prying eyes in the database. Any sensitive data should be encrypted. Very sensitive data should not be stored on the device at all. Keep in mind that if the device gets lost, any misbehaving finder of the device can gain access to the database file as well as to your app. On a rooted device all files can be read. Apps like SQLite Editor make it easy to read even sensitive data – if they are not encrypted:
In cases where data privacy is of utmost importance, you have to revert to secured services or force the user to enter a secret every time before encrypting and storing the data or reading and decrypting them respectively.
source
I want to write an android application that uses ready information I use Sqlite manager extension from Firefox and put it in asset folder but if someone just change the extension and make apk file a zip file he can easily have my database what is the best solution in this case?
The comments you are getting are all completely correct. There is no way to guarantee that no-one can get at the contents of that database.
You could make it harder by encrypting the database and hiding the key somewhere in the code. Doing that would make it so that an attacker would need to de-compile the code to find the key, so that they could de-crypt the DB.
Better yet, you could put the key on a network server, somewhere. If you do that, your user has to be on-line to use the app... and the attacker has to spoof your app and request the key to decrypt the database. ... but they can still do it.
This is the DRM problem. It is pretty much impossible to give attackers the encrypted content and the keys and still protect the content.
I have been creating an app in Android recently, which has a login page. It's fully offline, so online or network-based solutions would not help me. I think there are two approach for me to accomplish this task.
Saving password hash in the preferences XML file
Saving password hash in the SQLite database
However, in my opinion both of these ways could be insecure because an user could load my app's data directory in a DDMS and then take out my preferences or database file and subsequently try to manipulate it.
Now, my question is:
Is there any fully secure approach (preferably not using files) or way to encrypt preference or database file?
Thanks in advance
SOLUTION (idea from Marcin Orlowski)
A relatively secure solution would be hashing password along with another string, which is only known to my app (with assumption of no resereve engineering), with this conditions, the attack could not replace my hashed string with his own hashed string.
No, there's no bullet proof solution. What's in the app can be extracted with more or less efforts or your app can be hacked/etc. If you need to store password, do not store plain as plain text. Do sha1 or md5 hash of it first and store the hash, so even if one would get hands on your prefs/DB then he still does not know the password (but he can try to brute force it using i.e. rainbow tables etc). Depending on sensivity of data you protect with password, using hash may be sufficient (if you do not encrypt data itself, then it makes no sense to go further)
Save the password hash in the private ContentProvider. SharedPreferences XML and Database file can only be get from DDMS if user uses rooted phone.
I am using SQLCipher for Android. I have done all the necessary things that are needed for
loading the libs as mentioned in http://sqlcipher.net/sqlcipher-for-android/
I observed that you set the password i.e the key in :
SQLiteDatabase database = SQLiteDatabase.openOrCreateDatabase(databaseFile, "test123", null);
Then how is your password safe from a hacker? As it can be accessed from a java file. ?
Is there any correct way where i can store the password ?
Thanks,
Nibs
Then how is your password safe from a hacker?
It's not. Hard-coding a passphrase makes for simple demonstrations, though.
Is there any correct way where i can store the password ?
The user should supply the passphrase for the user's database via your UI. The user then stores the passphrase in the user's head, or perhaps you combine what's in the user's head with something else for lightweight two-factor authentication (e.g., MAC address of paired Bluetooth wearable).
I would like to suggest the following approach:
The first time you create the database you have to create a random password.
You store this password in the Keystore.
Whenever you open the app you read the password from the keystore and use it for connecting to the database.
So how does the keystore access work? See blog entry 1 and blog entry 2 and the corresponding github repository. The solution is available for Android version 2.1 to 4.3.
Big caveats:
The solution works only with private API access, so it might break in the future.
A screen lock password is required to store keys and all keys are wiped if a user removes his lock screen password.
What is being overlooked is the fact that the demonstration given by SQLCipher is purely for demonstration . It is up to the imagination of the developer to overcome the obvious. Slightly less obvious is that you would NOT store the key in a private local variable, since performing a strings search against your class files could reveal your key, reducing the dictionary necessary in a successful brute force attack. Open your classes.dex in a hex editor and try it.
It isn't the .java files you should be concerned with, as only your developers should be in there. It's the .class files. The next level of effort is some effort of obfuscation, but that really only limits the impatient.
Take a look at this discussion
https://groups.google.com/forum/#!topic/sqlcipher/OkE0rUwXEb8
I want to know how safe it is to pack the database with the application in android. Can the database be easily accessed by the users? As the database that I have will have data which I dont want to be hacked by users for misuse, what is the best way to protect the database in mobile apps?
Also my application would use web service(contacting my own website) e.g. http:\www.mysite.com/services/xxx
My site will in turn return some data to the mobile app. If someone decompiles the java code(in apk), he will easily get access to the URL i am using for web service. How can i protect my data on website to be attacked by malicious users. If anyone gets to know the URL, he can simply type that URL in browser and get all data in json format which i dont want as that data can be quite sensitive. Even if I keep it encoded, then the user can get to know the encoding from the java code(which he gets after decompiling apk).
How to keep my DB safe from being misused?
If my application is to show the local places like restaurants, bars etc on mobile should i always fetch them from the website using web service or provide a local database with these details so that information can be fetched quickly. In this case , I can provide a UPDATE web servcie which will update the local database. But security of local DB is of great concern to me.
Can anyone please suggest where to keep the DB and how to safeguard it?
Rgds,
Sapan
Local databases and your apk file can be read by any rooted device easily. This tool can even decompile your resources as explained in this youtube tutorial (I never tried that myself actually).
So you would have to store your data encrypted in your database and decrypt it form your application code to be sure that noone can access it by simply getting the database form the data directory of his device.
You shouldn't put your sensitive data (like passwords etc) in the resource folder, because it can be decompiled, put it in your code.
Now some words to your JSON API. Hiding the URL is not enough, since the user can track your requests easily by a sniffer and get that anyway. You should provide a authentication mechanism to protect unauthorized access and also protect your communication by SSL. (E.g. using HTTP authentication - makes only sense when your server provides SSL.)
This are the things you should think about and decide yourself how sensitive your data actually is.
As far as I understand you're going to:
Pack initial DB in your APK file (say with res/asset folder)
During first run explode DB file from res/asset to application data folder
Then from to time fetch data into DB from website/webservice
In this case there are basically 2 vulnerabilities (stored data I mean):
Initial DB image, since it's packed with APK (which is in real life just ZIP archive), so anyone can unpack and see what's packed in your DB
DB file stored in application data folder (usually /data/data/MY_APPLICATION_PACKAGE/databases). This folder is accessible on rooted device, so again your data can easily be screened
The only option to be secured is to encrypt your database content. Easiest way to do it to store sensitive data in BLOBs (in form of XML of JSON) and encrypt/decrypt those BLOBs after/before actual usage of certain records.
Myself personally did it in my app - and it works well.
check this links for protecting your apk file for decompile
How to make apk Secure. Protecting from Decompile
Protecting Android apk to prevent decompilation, network sniffing etc
decompiling DEX into Java sourcecode