2

I'm building an Android app in which I need to encrypt the database. For this I now want to use SQLCipher. I'm now reading about it, but there's something which I don't understand; where does the password reside? Should it be stored somewhere in the Java code, or can the (4 digit) passcode of a user be used to encrypt and decrypt the DB?

And thinking further; what if I have multiple users that can log into the app (I always confirm the passcode with our own API), is it possible to give several users with different passcodes access to the same database (i.e. decrypt it)?

All tips are welcome!

kramer65
  • 50,427
  • 120
  • 308
  • 488

1 Answers1

4

where does the password reside?

In the user's head, or some other place the user elects to store it.

Should it be stored somewhere in the Java code

Not if you want useful security. Anyone can reverse-engineer the app to get the hard-coded passphrase.

can the (4 digit) passcode of a user be used to encrypt and decrypt the DB?

I have no idea what you are referring to. You are certainly welcome to prompt the user for a passphrase. Please do not limit it to a 4 digit value, though, as that can be brute-forced very easily.

is it possible to give several users with different passcodes access to the same database (i.e. decrypt it)?

Not really. SQLCipher only supports one passphrase per database. You can have different databases per user, each encrypted with the user's own hopefully-decent passphrase.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491