6

I have an encrypted db with the "sqlcipher library", but now I don't know where I can store the db passwrod in the correct way, inside the app. I think that SharedPreferences, in PRIVATE_MODE, is a good place to store it; but I'm not sure. Any suggestion? Thanks.

Paolo
  • 555
  • 4
  • 28
  • 2
    You can't hide the users data from the user (the data on the phone is their data). You can try to obfuscate the sqlcipher password a few ways, but ultimately the code can be decompiled and anyone can get the password. An encrypted db on the device just helps keep out casual onlookers a little, it won't keep out a determined user (or attacker). – Charlie Collins Aug 09 '13 at 15:59
  • Thank you, so if I have a rooted device.. there is no possibility to store the password in a safe way. – Paolo Aug 09 '13 at 15:59
  • @Paolo That is correct. – ObieMD5 Aug 09 '13 at 16:21

3 Answers3

3

Even if you were to hide the password within the app itself, it can still be decompiled and found out. There is no where safe on a device with root. Your best bet would to have the db on a web-server and have the data retrieved from the server. That is the only way to keep a database safe from users (if the server is setup and secure).

ObieMD5
  • 2,684
  • 1
  • 16
  • 26
  • Hi, thank you. I already have a db on a web-server for login etc., my intent is only to save in a secure way the sensitive user data. But I knew I had a bit exaggerated with security :P – Paolo Aug 09 '13 at 16:16
3

I don't know where I can store the db passwrod in the correct way

The "correct way" is for the password to be inside the user's head, as the only reason to use SQLCipher for Android is to allow the user to defend the user's data.

You appear to be attempting to use SQLCipher for Android as a DRM mechanism, which will not work. There is no place for you to store a password "inside the app" that users cannot get to, given sufficient interest in doing so.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
2

Depends on how paranoid you want to be. That will work if the device isn't rooted. If it is rooted, there's nowhere safe on the device.

Gabe Sechan
  • 90,003
  • 9
  • 87
  • 127