How to store the key used in SQLCipher for android

Question

I am using SQLCipher for Android. I have done all the necessary things that are needed for loading the libs as mentioned in http://sqlcipher.net/sqlcipher-for-android/

I observed that you set the password i.e the key in :

    SQLiteDatabase database = SQLiteDatabase.openOrCreateDatabase(databaseFile, "test123", null);

Then how is your password safe from a hacker? As it can be accessed from a java file. ?

Is there any correct way where i can store the password ?

Thanks, Nibs

Answer 1

I would like to suggest the following approach:

• The first time you create the database you have to create a random password.
• You store this password in the Keystore.
• Whenever you open the app you read the password from the keystore and use it for connecting to the database.

So how does the keystore access work? See blog entry 1 and blog entry 2 and the corresponding github repository. The solution is available for Android version 2.1 to 4.3.

Big caveats:

1. The solution works only with private API access, so it might break in the future.
2. A screen lock password is required to store keys and all keys are wiped if a user removes his lock screen password.