I have a problem. I am using xyz.db file and which is stored in asset folder. I am copying all data from xyz.db to application db which is stored in data/data/com.xyz/abc.sqlite in storage folder. Now I want to secure asset's xyz.db file. Because It can be easily extract from apk by reverse engineering. Please help me to secure my asset folder's database file.
Asked
Active
Viewed 4,064 times
2
-
Check technique related to Database Encryption. Like SQLCiphe. – Akshay Nov 08 '16 at 11:10
-
Look into https://www.guardsquare.com/dexguard which has the ability to encrypt assets and decrypt ad runtime – Aegis Nov 08 '16 at 11:25
-
@Philliphe, I am also sailing in the same boat. Can you please let me know what steps / approach best worked for you? As your approach, my db is loaded with some data which i dont want to expose. Is there a way we can secure this DB. I saw a problem with SQLCipher as we need to specify pass phrase. Can you please let me know what helped you? – Uday Jun 26 '18 at 10:59
3 Answers
1
You can perform the following to make it relatively difficult to access data in DB.
- Password protected zip file to contain db which at runtime should be extracted.
- Encrypt the file with symmetric key and again at runtime decrypt it.
- Utilize sqlcipher that performs encryption for Data at Rest.
In both the above cases you will need to worry about storing the password or key. There is no sure shot way to protect the file but the above would require more effort and should be added as basic protection.
PravinCG
- 7,688
- 3
- 30
- 55
0
There's no final solution to your problem. Any technique you'll use can be beaten by a determined skilled attacker.
You have to accept that if you want to store database xyz.sql in your apk file and you later want your app to use it, then it will be also possible for someone that reverse your app to retrieve it. Basically just because the plain text information at a certain moment will be available on the phone.
Hope i've been clean enough
user2543740
- 172
- 1
- 10
0
Keep security in mind
As usual in Android the access rights of the database file determine who can use your database. If you follow the standard way presented in the following posts of this series, your database file will be located within the private directory of your app. This means that your app owns the database file and no one else can access it. Even using the other less common ways to create the database you can only grant access to the file. Thus others can access all of your database or nothing. There is no middle ground.
Still: You should never rely on data being safe from prying eyes in the database. Any sensitive data should be encrypted. Very sensitive data should not be stored on the device at all. Keep in mind that if the device gets lost, any misbehaving finder of the device can gain access to the database file as well as to your app. On a rooted device all files can be read. Apps like SQLite Editor make it easy to read even sensitive data – if they are not encrypted:
- In cases where data privacy is of utmost importance, you have to revert to secured services or force the user to enter a secret every time before encrypting and storing the data or reading and decrypting them respectively. source
Real73
- 490
- 4
- 13