Encrypting Android database

The_B_Man

Hi,

I'm looking at encrypting the SQLite database for an app.
My research has pointed me pretty quickly towards SQLCipher for Android.

This seems to do the job fairly effortlessly and looks fine. However the main point of contention here is the encryption/decryption key. Basically all the examples hard code the key into the code. Any hacker worth their salt should be able to decompile the code and get the key, rendering the encryption useless.

I've seen examples where people have used the NDK to generate .so files and store the key there, but the same issue applies. People can decompile the .so files and get the key.

I was thinking another option is to have the key stored on the same server as the data that's downloaded and stored in the DB, but then you're just passing the problem down the line, and requiring the server to handle the security, and hoping there's no wireshark trickery that can extract the key.

Does anyone have experience with encrypting the database? I'd love to hear some tips and best practices on how other people have achieved this.

Atomic Pineapple

Have you looked into using the Android Keystore System?

http://developer.android.com/training/articles/keystore.html

Be aware of a potential security flaw prior to Android 4.4 - http://www.digitaltrends.com/mobile/keystore-security-threat-android-news/

The_B_Man

I've never heard of the Keystore System actually. Looks interesting.

So from reading it there, I can actually store the key I'm using to encrypt the DB with SQLCipher in the Keystore, and access it it via code at runtime to perform database operations? That seems like it'll do the trick.

The only thing is that the device I'll be using solely is running on 4.2.2, with no sign of an upgrade any time soon.

It's highly sensitive data so I'm not sure if that'd be accepted.

Atomic Pineapple

Yes, the KeyStore is used for generating and securely storing keys for encryption.

I think from 4.3 you can generate the key based on a users PIN or screen lock pattern which makes it secure on 4.3 but I am not sure how much the security hole affects 4.2.2

It would be worth reading up on it as there might be ways to ensure the key is secure prior to 4.3/4.4

Its an area I've only scratched the surface of myself though, I worked on encrypting the data stored on devices from 4.3 upwards using the users PIN and the application passed an enterprise security check though.

The_B_Man

Well for my purposes, the user won't be able to put a PIN/key in. It'll have to be hardcoded. Or preferably generated locally on the device. How this encryption/decryption key is stored, is another thing I'll have to look at. From the link above though, it seems the OS handles it, which is perfect.

Really I'm trying to stop someone from decompiling the code and extracting a key.

MyPeopleDrankTheSoup

i think you already know the answer to this question, there's no way to 100% ensure a user can't disassemble the APK and get the .db file and key. I've used SQLCipher in my Android apps with key hardcoded and my DB was never ripped off and put in another app when all others were. SQLCipher defeats 99% of script kiddies and Indians who just unzip the APK and try and pull the DB.

It's highly sensitive data so I'm not sure if that'd be accepted.

This is where you've to 'pushback' and convince the pointy haired bosses that SQLCipher with an obfuscated key in the Java code is plenty sufficient! Godspeed. I sure don't miss having bosses.