How to protect data in HTML5+PhoneGap mobile app?

Question

Is it possible to protect sqlite database inside mobile app created using PhoneGap + HTML5 ? I have some big chunk of data, that I would like to protect. But from nature of used technologies it seems to me its almost impossible. If it's not possible to protect the data, is it at least possible to use some obfuscation to discourage "script-kiddies" to not try get to the data easily ?

Answer 1

A user of your software has more of a right to control the sqlite database than you do. Your software is just a visitor on his machine. Any form of encryption would be security though obscurity because you cannot have a secret (or secret key) on the device.

If you want to protect a database, then you have to host it. I recommend setting up a RESTful interface so that the js on the mobile device can perform actions on the data. You should assume that the attacker has 100% access to this RESTful interface. You should never expose a function like do_query("select ...");. Make sure you take sql injection into consideration.

Answer 2

One thing you can do would be to encrypt the data as it goes into the database, and then decrypt it as it comes back out. To do this in a semi-maintainable way, you would need some sort of DB access layer where the encryption/decryption can happen so that your main app doesn't need to worry about it.

I'm not particularly well versed with PhoneGap, so I'm not sure if there are any existing plugins that do this. But, If you don't mind the hassle of encryption/decryption being coupled in with your app code, you could just pass everything through an encrypt(myData) function on the way into the DB and then through a decrypt(myData) function on the way out. This would work pretty well if you are only going to/from the DB in a couple of places.

This is a fairly heavy-weight solution, but as you said, the options are fairly limited.

Lastly, I would suggest using the device ID (if you can get to it), or some other per-account or per-device method of getting the encryption key so that each device is more difficult to crack, rather than all devices using the same key. A hash of the username or salted username or salted salted-hash hash of the password might all be good options.