Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is my SQLite Database is secured after using SQLCipher?

I have replaced SQLiteOpenHelper with import net.sqlcipher.database.SQLiteOpenHelper

For inserting datas into Database and getting data from it, I have used
SQLiteDatabase db = this.getWritableDatabase("mypassword");

instead of below

SQLiteDatabase db = this.getWritableDatabase();

Below is my oncreate and onUpgrade,

@Override
    public void onCreate(net.sqlcipher.database.SQLiteDatabase db) {

        db.execSQL(ARecords.CREATE_TABLE);
        db.execSQL(BRecords.CREATE_TABLE);
    }

    @Override
    public void onUpgrade(net.sqlcipher.database.SQLiteDatabase db, int oldVersion, int newVersion) {
// Drop older table if existed
        db.execSQL("DROP TABLE IF EXISTS " + ARecords.TABLE_NAME);
        db.execSQL("DROP TABLE IF EXISTS " + BRecords.TABLE_NAME);
        //Create tables again
        onCreate(db);

    }

In MainActivity,

SQLiteDatabase.loadLibs(this);

below is my dependencies

implementation 'net.zetetic:android-database-sqlcipher:4.4.3'
    implementation 'androidx.sqlite:sqlite:2.1.0'

I am using SQLCipher for preventing my application from attacker gets access to the data stored in the /data/data/com.applicationname/ directory

Rooted devices can have access to the data/data/com.applicationname/ directory right.Then using SQLCipher wont allow users to the directory ?

  1. Now I want to make sure whether my database is now secured. How to know that?
  2. I am using hardcoded passwords inside getWritableDatabase. Is that good way to do? Or it may be hacked?

Also I have seen below tutorial for Encryption. So now I am confused. Using SQLCipher itself good or need to do like below tutorial

https://www.raywenderlich.com/778533-encryption-tutorial-for-android-getting-started%20tutorial#toc-anchor-001

Thanks in Advance.

like image 292
Kousalya Avatar asked Mar 17 '21 07:03

Kousalya


2 Answers

I assume that you're bundling your database inside assets or something like that, and in this case, it doesn't matter how much you try, there's always an attacker who can attack you (but in most cases they won't because there's nothing in it for them) But a password might slow down the attacker (but if it's going to be bundled, you also have to put password inside your code which means no security at all)

like image 116
Amin Avatar answered Sep 20 '22 20:09

Amin


Password hardcoding not secure

If you hardcode your password into the code, then it's definitely not secure. If an attacker gets your APK and knows how to decompile it, he can easily get the DB password, and it doesn't matter how obfuscated the code is.

What do then

One way is to ask a user to fill in a password (via some dialog), before each time a DB connection is established. Then, this password can be used for opening a connection. Obviously, it must be strong enough and not stored anywhere afterwards. It's also a good idea to offer changing a password for your DB because users to tend to use the same password for several services, if their password gets compromised, they need to be able to change it.

like image 39
Anatolii Avatar answered Sep 20 '22 20:09

Anatolii