Android: How safe is database packed with application

Question

I want to know how safe it is to pack the database with the application in android. Can the database be easily accessed by the users? As the database that I have will have data which I dont want to be hacked by users for misuse, what is the best way to protect the database in mobile apps?

Also my application would use web service(contacting my own website) e.g. http:\www.mysite.com/services/xxx

My site will in turn return some data to the mobile app. If someone decompiles the java code(in apk), he will easily get access to the URL i am using for web service. How can i protect my data on website to be attacked by malicious users. If anyone gets to know the URL, he can simply type that URL in browser and get all data in json format which i dont want as that data can be quite sensitive. Even if I keep it encoded, then the user can get to know the encoding from the java code(which he gets after decompiling apk).

How to keep my DB safe from being misused?

If my application is to show the local places like restaurants, bars etc on mobile should i always fetch them from the website using web service or provide a local database with these details so that information can be fetched quickly. In this case , I can provide a UPDATE web servcie which will update the local database. But security of local DB is of great concern to me.

Can anyone please suggest where to keep the DB and how to safeguard it?

Rgds, Sapan

Answer 1

Local databases and your apk file can be read by any rooted device easily. This tool can even decompile your resources as explained in this youtube tutorial (I never tried that myself actually).

So you would have to store your data encrypted in your database and decrypt it form your application code to be sure that noone can access it by simply getting the database form the data directory of his device.

You shouldn't put your sensitive data (like passwords etc) in the resource folder, because it can be decompiled, put it in your code.

Now some words to your JSON API. Hiding the URL is not enough, since the user can track your requests easily by a sniffer and get that anyway. You should provide a authentication mechanism to protect unauthorized access and also protect your communication by SSL. (E.g. using HTTP authentication - makes only sense when your server provides SSL.)

This are the things you should think about and decide yourself how sensitive your data actually is.

Answer 2

As far as I understand you're going to:

1. Pack initial DB in your APK file (say with res/asset folder)
2. During first run explode DB file from res/asset to application data folder
3. Then from to time fetch data into DB from website/webservice

In this case there are basically 2 vulnerabilities (stored data I mean):

1. Initial DB image, since it's packed with APK (which is in real life just ZIP archive), so anyone can unpack and see what's packed in your DB
2. DB file stored in application data folder (usually /data/data/MY_APPLICATION_PACKAGE/databases). This folder is accessible on rooted device, so again your data can easily be screened

The only option to be secured is to encrypt your database content. Easiest way to do it to store sensitive data in BLOBs (in form of XML of JSON) and encrypt/decrypt those BLOBs after/before actual usage of certain records.

Myself personally did it in my app - and it works well.