1

I had a search around but I have not really found what I am looking for. I am developing a flex application for mobile devices. This application will sync customer data down from an api to the mobile device. but once on the device I plan to hold it in sqlLite DB. How can I secure this data? I know that I could hash it but I guess that that someone would be able to decompile the application and get the hash key. I am new to flex and mobile development so there may be a really obvious answer that I have missed.

Thanks in advance

JaCHNo

JaChNo
  • 1,493
  • 9
  • 28
  • 56

3 Answers3

2

I wouldn't recommend using AS3 based cryptography to encrypt data on the DB since it would be slow and impossible to use the data unless you decrypt everything and re-encrypt between queries (that is of course, unless you have to encrypt it like say hashing passwords of users or something so that you can do a one way compare). Encrypting the DB itself is the best way.

Here's a tutorial on how to do it.

J_A_X
  • 12,857
  • 1
  • 25
  • 31
  • I also believe that using AS3 based Cryptography to encrypt lots of data would be a performance drag, so +1 from me. – JeffryHouser Jul 23 '11 at 00:04
0

If you only need to protect a few/several pieces of data (e.g. credit card data, phone number, but not their order history or something); I would use the EncryptedLocalStore. It's a simple solution to use and it's already in the framework, so it's Adobe tested and you aren't adding to the size of the app unnecessarily.

From what I remember, the as3lib has actual encryption utilities; but it wasn't intended for mobile.

Side note:
Hashing technically isn't encrypting. Encrypting, by definition, implies a secret key that, if known, can be used to easily (formally easy anyway) recover the original information. Hashing is "kind of" like encrypting but immediately deleting the key so that, unless you know what the original information is, you have no idea what you'd have to for original input to get the output/hash. Or... adding data to it and then just scrambling it all up.

Chaos7703
  • 691
  • 9
  • 18
0

Nothing about your question is really unique to mobile devices.

I believe you either have to Encrypt the local SQLLite database or encrypt the data stored in it.

Here is some documentation on dealing with encrypted SQLLite databases.

There are also a few libraries for encrypting data. ASCrypt3 and AS3Crypto if you wanted to encrypt the data, but not the database.

You mentioned hashes, usually when people talk about hashes they are talking about one way encryption, so I'm not sure the benefit that would be in a data store where you need to read the data.

Community
  • 1
  • 1
JeffryHouser
  • 39,401
  • 4
  • 38
  • 59
  • Thanks for the info. looking at it I still have to specific a password for the encryption in the code. Does this pose a risk in as far as the application will be deployed to android and iphone. or am I best getting the user to set something like a pin that they use to unlock the application? – JaChNo Jul 22 '11 at 20:25
  • IF the decryption key is hard coded as part of the app; it can be retrieved by decompiling that app. Having the user enter it manually may help; assuming those users secure those codes in some manner. – JeffryHouser Jul 22 '11 at 21:35