Android. How to protect your database?

Question

Do you know any ways to protect a database in Android?

I would like to implement the following, but don't know whether it is possible:

1. Limit access to the database to only the application owner (which created and serves it).
2. Restrict or deny access to the database from all other applications during the usage session of DB owner application.
3. Are there any ways to password protect your database?

Tests with sqlite3 showed that you can change the database while another application uses it. So, I assume that possibly some external application can corrupt your data or use it, which is bad.

Also, how do you propose to process a database exception that could occur during such simultaneous database usage:

1. show to user message and close
2. show to user message and continue working
3. just close?

After all this happens, how do you propose to launch application next time?

Thanks

Answer 1

The android system automatically implements and enforces option (1) from your list. Every application on the phone/system has its own user ID, and no application can access the database files of any other application.

If you do want to share your data (with access controls), you can create a content provider, which can then be used by other applications: http://developer.android.com/intl/de/reference/android/content/ContentProvider.html

There are a couple of exceptions to the rules above:

1. In the emulator in the SDK, the adb shell gives you full access to the emulated phone's filesystem. This is not the case in a live android phone.
2. In a phone that has been "rooted", any application that gets root permissions can then access the db files of any other application (as well as anything else) - this is the cost/risk of rooting your phone, and is the device owner's responsibility.

Basically, you don't need to worry about it. Android will normally prevent these issues for you.

Answer 2

You should actually worry a lot. Is very easy to get your database and even code without rooting the phone. Here is an example of how to do it:

1. Download ASTRO file manager.
2. Use the option to backup your application into the SD card.
3. Transfer the backed up file into your Computer.
4. Use the Apk_OneClick tool (search on internet) to decompile the application package.

Now you have everything, code, database, images, xml files, everything!

So I can tell you you can have others people code and database in a few minutes. To protect your application use ProGuard, and use some type of encryption for your database. Personally I encrypt each field data and decrypt it at run time, with simple encryptions as XOR it doesn't really put much performance penalty.