0

Ok lets say that I have an app on my phone that uses a database (SQLLite/ RealmDb etc.) to store data that the app uses, and then some bad entity (hacker) gets hold of my none-rooted-phone and somehow gains access to it.

If the entity can decompile the code and create his own app (or just the parts that need the data) to use the database, could he then move the database from my device onto another device (or to another app on my device, it doesn't really matter) and then access/use the data in the database (wether the data is crypted or not)?

Example would be to just get encrypted data and send it straight to a rest api and get back valid response.

Is there a "tampering connection" to a mobile database so it can't be used in another device/app sandbox? Its probably different between databases and OS's.

Desclaimer: All my apps and api's use jwt tokens and server side validation and on top of that https pinning to the servers cert so I'm not asking for best practice security. Look at the question more like a need to sell management on security by me trying to answer "Can it be done?"

Sturla
  • 3,446
  • 3
  • 39
  • 56
  • If they can get root-access and keep the data, it's simply a matter of going to **data/data/respective_package_name/databases** and copy the file and then use an sqlite manager to see and manipulate the database. That's for SQLite anyway. I frequently copy SQLite databases to Windows and use SQLite Manager (browser extension), even sometimes manipulate the database and reverse the process to then get a changed database on the device (don't know about IOS). – MikeT Sep 22 '17 at 10:30

1 Answers1

0

Both Realm and SQLite are backed by a single file. So if a hacker can access the file system. They can copy the file out and do whatever they want with it, including reading and modifying it.

If your app ships with a pre-filled database, then they can just decompile the app and copy the file out as well.

If you are concerned about the data leaking the from the device, you can prevent this by encrypting the local database. Realm has in-built encryption for both Android and iOS and SQLite supports it if you include SQLCipher.

As long as your encryption key is not stored on the device, but either derived from a local login or sent from the server, then it should be 100% safe to have a local database without being concerned about data leaks.

Christian Melchior
  • 19,978
  • 5
  • 62
  • 53
  • Only problem with SQLCipher is that it's all or nothing. – MikeT Sep 22 '17 at 11:11
  • Would´t you consider randomly generate the encryption key for the database and storing it on the android keystore/ios keychain? – Sturla Sep 22 '17 at 14:42