I have implemented SQLCipher
in my Android application to make it's database secure. SQLCipher
needs a key to encrypt database file. The problem I am facing is key protection, if my application is used on a rooted device or is reverse engineered then my key will be exposed and database can be decrypted.
Please note that my application doesn't ask for password every time user opens it and thus user entered password can't be used as the key. I want to implement behavior like facebook, whatsapp applications, which encrypts data using private-key/key without asking any password and keeps the users logged in all the time. Where and how these applications store their key?
Please suggest a solution/algorithm that will protect the key.Also, does Android OS provides any such functionality for data protection/management?
Open your device's Settings app. Tap Security & Location. Under "Encryption," tap Encrypt phone or Encrypt tablet. (If your battery isn't charged or your device isn't plugged in, you won't be able to tap this option.)
You can use Andriod Keystore to encrypt your SQLCipher password.
I had the same issue while ago, where SQLCipher was used to secure data, but password itself was not. This allowed a security flaw where a simple decompilation would reveal the password as it was in the form of string constant.
My solution was:
Here is a sample project I made which also has a SQLCipher use case same as yours.
Encryption Helper for Encrypting Passwords
Use case for SQLCipher
Note that the term you are using as encryption key is used as password/number for DB in above discussion.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With