I have replaced SQLiteOpenHelper with import net.sqlcipher.database.SQLiteOpenHelper
For inserting datas into Database and getting data from it, I have usedSQLiteDatabase db = this.getWritableDatabase("mypassword");
instead of below
SQLiteDatabase db = this.getWritableDatabase();
Below is my oncreate and onUpgrade,
@Override
public void onCreate(net.sqlcipher.database.SQLiteDatabase db) {
db.execSQL(ARecords.CREATE_TABLE);
db.execSQL(BRecords.CREATE_TABLE);
}
@Override
public void onUpgrade(net.sqlcipher.database.SQLiteDatabase db, int oldVersion, int newVersion) {
// Drop older table if existed
db.execSQL("DROP TABLE IF EXISTS " + ARecords.TABLE_NAME);
db.execSQL("DROP TABLE IF EXISTS " + BRecords.TABLE_NAME);
//Create tables again
onCreate(db);
}
In MainActivity,
SQLiteDatabase.loadLibs(this);
below is my dependencies
implementation 'net.zetetic:android-database-sqlcipher:4.4.3'
implementation 'androidx.sqlite:sqlite:2.1.0'
I am using SQLCipher for preventing my application from attacker gets access to the data stored in the /data/data/com.applicationname/ directory
Rooted devices can have access to the data/data/com.applicationname/ directory right.Then using SQLCipher wont allow users to the directory ?
Also I have seen below tutorial for Encryption. So now I am confused. Using SQLCipher itself good or need to do like below tutorial
https://www.raywenderlich.com/778533-encryption-tutorial-for-android-getting-started%20tutorial#toc-anchor-001
Thanks in Advance.
I assume that you're bundling your database inside assets or something like that, and in this case, it doesn't matter how much you try, there's always an attacker who can attack you (but in most cases they won't because there's nothing in it for them) But a password might slow down the attacker (but if it's going to be bundled, you also have to put password inside your code which means no security at all)
If you hardcode your password into the code, then it's definitely not secure. If an attacker gets your APK and knows how to decompile it, he can easily get the DB password, and it doesn't matter how obfuscated the code is.
One way is to ask a user to fill in a password (via some dialog), before each time a DB connection is established. Then, this password can be used for opening a connection. Obviously, it must be strong enough and not stored anywhere afterwards. It's also a good idea to offer changing a password for your DB because users to tend to use the same password for several services, if their password gets compromised, they need to be able to change it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With