How to protect my encryption key in Android?

Question

I have implemented SQLCipher in my Android application to make it's database secure. SQLCipher needs a key to encrypt database file. The problem I am facing is key protection, if my application is used on a rooted device or is reverse engineered then my key will be exposed and database can be decrypted.

Please note that my application doesn't ask for password every time user opens it and thus user entered password can't be used as the key. I want to implement behavior like facebook, whatsapp applications, which encrypts data using private-key/key without asking any password and keeps the users logged in all the time. Where and how these applications store their key?

Please suggest a solution/algorithm that will protect the key.Also, does Android OS provides any such functionality for data protection/management?

Answer 1

You can use Andriod Keystore to encrypt your SQLCipher password.

I had the same issue while ago, where SQLCipher was used to secure data, but password itself was not. This allowed a security flaw where a simple decompilation would reveal the password as it was in the form of string constant.

My solution was:

• Generate a random number when app starts at first. (You can change this behaviour for whatever suits you)
• Encrypt this number using Android Keystore.
• The original form of the number is gone once its encrypted.
• Save this in Prefs.
• Now, whenever SQLCipher needs password, it will decrypt it and use it.
• Since Android Keystore is providing keys at runtime, and keys are strictly app specific, it will be hard to break this database.
• Although everything can be broken but this approach will make it a lot harder for the attacker to retrieve data from DB, or DB password.

Here is a sample project I made which also has a SQLCipher use case same as yours.

Encryption Helper for Encrypting Passwords

Use case for SQLCipher

Note that the term you are using as encryption key is used as password/number for DB in above discussion.