Hello I have an android application. In my app I have a SQLite database stored on the device that should be synchronized with a MySQL database stored on the server.
Now I have to retrieve a list of IDs. I can do it querying the SQLite database or the MySQL database. I chose to use the SQLite database because it'd be much faster and easier considering what I have to do. But now I was thinking about it and I have a question: Are the android SQLite database files safe? I mean is there a possibility that someone access these files and modify information inside them or are they hidden to users?
Because if I ask information from the server I'm sure that it is safe, instead I don't know the security level of android databases.
Let's suppose that each ID corresponds to an application ID I paid for (for example application 3 and 5). When I find a way to modify the android database and so adding also application 7 and 8 it would seem to the device that I've paid also for these applications instead I didn't and I can't use them. That's why I was thinking to query the MySQL database, because the user can't modify it, but this way it's gonna be slower. What do you think?
Ideally data stored in your apps private /data directory would be private, but if someone roots their phone they have unfettered access to it. Its best to design based on the assumption that your on-phone database is unsafe without encryption and even then it's still possible that users can try to break in.
With a rooted device, a user could easily add / remove / modify existing records in the database.
One thing you could do, is compute an MD5 hash of the rows in your DB and compare it against a hash you have stored on your MySQL server for that particular user before accepting the "paid" values of your local cache database. This approach may or may not be acceptable to you because obviously it requires an internet connection.
Please check these option too, they might help anyone who want to secure the database.
SQLCipher for Android
1- android Sql3 wrapper library
2- libsqlite3_jni.so
also please read the article below are make your search on the option above, i hope this would help much.
http://www.findbestopensource.com/product/sqlite3-android
Note:
you can secure your device fully as if the device will be rooted by anyone. So use some other secure way like secure the database with 2 factor authentication and password protected.
In case someone rooted your device at least you should have some password protected file .
Related
I am working on an Android project where I will have to edit (only decrement) data from an online database. I want to stop anybody from changing the values by themselves. It should be possible only through the Programming.
In short my online database would contain the Balance of a particular account.
While using some of my services in my app, the balance will get deducted.
App should only be able to deduct the value. I dont want any hacker to study my code and be able to increment the balance by any mean.
Is there any possible mean to add security to database. The database should be very secure.
If you want security over network, Do it using existing and well implemented secure protocol, e.g. TLS/SSL. openssl is one good implementation: http://www.openssl.org/
If you even want data to be secure on the server, even the root cannot access it, check this: http://css.csail.mit.edu/cryptdb/
I understand that Soundhound on Android doesn't currently store favorites on the cloud. They must therefore be on the local storage somewhere.
Does anyone know a good way to access the favorites programmatically ?
I know the user can email his favorites but I would like to access them through my code without user interaction.
Thanks!
Local app storage is generally restricted. One application can not access the local storage of another's without explicit permission of some sort. Either the application (Soundhound) has to set access to global (unlikely) or explicitly expose the data via some sort of API (also extremely unlikely). I would expect this to not be reasonably possible (without root permissions).
It's discouraging to find a -1 vote on the first question I asked here but here's the answer to my own question anyways...
As of Android 4.2.2, the Soundhound data is stored in this Sqlite3 DB:
/data/data/com.melodis.midomiMusicIdentifier.freemium/databases/bookmarks.db
There's no content provider for the bookmarks so of course using the DB isn't a good idea since its subject to change in any future release of the app.
My App has an already existing Database. With "already existing" I mean that I don't create a Database in my App, I just connect to it and read the data.
To setup the connection I use SQLDroid.
Now I want to know is there any possibility to encrypt my Database with SQLDroid? Otherwise my Database is unencrypted and anyone could read the data.
I already tried to work with SQLCipher, but there is the problem that I have to create my Database in my App what I'm not doing...
I know that there are possibilities to work with an online App (-> database is on a server), but this is no solution in my case, because I have to make an Offline-App.
I'm glad about every idea.
Thank you.
Otherwise my Database is unencrypted and anyone could read the data.
You cannot hide data from the user of the device. Even if you encrypt the data, you would have to have the decryption key in your app, which can be found without much effort.
Using encrypted databases (e.g., SQLCipher for Android) to allow the user to defend the user's data against other people is perfectly reasonable.
That being said, SQLDroid would need to be ported to use SQLCipher or some other encrypted SQLite engine. I see no evidence that this work has been done.
I'm about to build a GPS Spot Finder application with Android and I am trying to decide what requirements are feasible and what aren't. The app would enable users to essentially add different spots on a Google Map. One of the problems would be fetching the data, adding new spots, etc, etc. This, of course would mean the database would have to be online and it would have to be central. My question is, what kind technologies would I need to make this happen? I am mostly familiar with XAMPP, PHPMyAdmin and the like. Can I just use that and connect Android to the database? I assume I would not need to create a website...just the database?
What different approaches can I take with this? Be great if people can point me in the right direction.
Sorry if I don't make any sense and if this type of question is inappropriate for Stackoverflow :S
Create a website to access the database locally, and have Android send requests to the website.
If users are adding spots to a map that only they see, then it makes sense to keep the data local to Android using a built-in database (SQLite). That looks like
ANDROID -> DATABASE
You can read up about SQLite options here.
If users need to see all the spots added by all other users, or even a subset of spots added by users, then you need a web service to handle queries to the database: Connect to a remote database...online database
ANDROID -> HTTP -> APPLICATION SERVER -> DATABASE
Not only is trying to interface directly to a database less stable, but it may pose risks in terms of security and accessibility.
Never never use a database driver across an Internet connection, for any database, for any platform, for any client, anywhere. That goes double for mobile. Database drivers are designed for LAN operations and are not designed for flaky/intermittent connections or high latency.
Additionally, Android does not come with built in clients to access databases such as MySQL. So while it may seem like more work to run a web service somewhere, you will actually be way better off than trying to do things directly with a database. Here is a tutorial showing how to interface these two.
There is a hidden benefit to using html routes. You will need a programming mindset to think through what type of data is being sent in the POST and what is being retrieved in the GET. This alone will improve your application architecture and results.
Why not try using something that is already built into android like SQLite? Save the coordinates of these "spots" into a database through there. This way, everything is local, and should be speedy. Unless, one of your features is to share spots with other users? You can still send these "spots" through different methods other than having a central database.
And yes, you just need an open database, not a website, exactly. You could technically host a database from your home computer, but I do not suggest it.
If you are looking at storing the data in your users mobile nothing better than built in SQLLite.
If you are looking at centralized database to store information, Parse.com is a easy and better way to store your user application data in centralized repository.
Parse.com is not exactly a SQL based database, However you can create table , insert / update and retrieve rows from android.
Best part is it is free upto 1GB. They claim 400,000 apps are built on Parse.com. I have used few of my application typically for user management worked great for me.
I'm developing an application which will be storing user sensitive data. My issue is using other applications that a user can view that stored data with. Then I need to provide better security for the data in general.
Is there any way to provide better security for SQLite database and tables?
Encrypt your data before you enter it in the database. As far as I know, the SQLite database is kept in a single file somewhere in the /data/ directory. What is more, your data is kept in plain text format. This means that it will always be possible for someone to extract that data by rooting the phone, obtaining the .db SQLite file and opening it with a text editor.
So, encrypt your data :)
--
Okay, maybe not a text editor, but a simple hex editor. Anyways...
Check out SQLCipher for Android. It's free (Apache 2 and BSD licences).
PS.: Some ORMs also support SQLCipher now, e.g. our greenDAO.
The author of sqlite offers a version that encrypts data. It's not free though
You could encrypt the data using a user specific salt retrieved from your server. That way, even with root access you would need the users salt to decrypt the database. Since you have control over the salt you provide an extra layer of security, however, your user will always need a network connection to access their data.
why are you keeping sensitive data on the phone? If its sensitive, why not send it back to the server where you have control over things. If the user roots their phone, they can basically do what they want. Other than that, encrypting like Shade mentioned would probably be your only option...
Good way to protect the the Database is to use the password Protected database and you can create it by using
1- android Sql3 wrapper library
2- libsqlite3_jni.so
also please read the article below are make your search on the option above, i hope this would help much.
http://www.findbestopensource.com/product/sqlite3-android