Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to store the key used in SQLCipher for android

I am using SQLCipher for Android. I have done all the necessary things that are needed for loading the libs as mentioned in http://sqlcipher.net/sqlcipher-for-android/

I observed that you set the password i.e the key in :

    SQLiteDatabase database = SQLiteDatabase.openOrCreateDatabase(databaseFile, "test123", null);

Then how is your password safe from a hacker? As it can be accessed from a java file. ?

Is there any correct way where i can store the password ?

Thanks, Nibs

like image 294
nibz Avatar asked Feb 24 '14 12:02

nibz


1 Answers

I would like to suggest the following approach:

  • The first time you create the database you have to create a random password.
  • You store this password in the Keystore.
  • Whenever you open the app you read the password from the keystore and use it for connecting to the database.

So how does the keystore access work? See blog entry 1 and blog entry 2 and the corresponding github repository. The solution is available for Android version 2.1 to 4.3.

Big caveats:

  1. The solution works only with private API access, so it might break in the future.
  2. A screen lock password is required to store keys and all keys are wiped if a user removes his lock screen password.
like image 170
ChrLipp Avatar answered Sep 18 '22 12:09

ChrLipp