1

Problem Description

I am writing application for Android. Application must do following:

  1. Connect to the server using following URL:

    http://www.example.com/database.xml?username=xxx&password=xxx

    username and password I must keep in the phone and this username and password are same for the all users. For example if 1.000.000 people have my application they all connect to the server using same url same username and password.

  2. Download database.xml file from URL and save data in the SQLite database.

Issues

  1. How I can use URL in my application to be sure that users which have access to my codes can't know from the code which URL I use and also to keep secure my password and username. Or even just to keep whole URL secure http://www.example.com/database.xml?username=xxx&password=xxx as it is same for all users.

  2. How I can protect my SQLite database. For example if somebody has root access on the phone he can get database open it and get all information which I keep there.

I need to protect my data.

Viktor Apoyan
  • 10,655
  • 22
  • 85
  • 147
  • "I need just protect my information from the most of users" -- then you do not need to do anything. However, "I need just protect my information from the most of users" does not line up with "if somebody has root access on the phone", as "most of users" do not have root access. You need to make up your mind whether you are trying to protect against "most of users" or not. – CommonsWare May 16 '13 at 14:10
  • @CommonsWare can I protect my data from everybody? and if I can, how I can do that ? – Viktor Apoyan May 16 '13 at 14:13
  • 1
    "can I protect my data from everybody?" -- no. – CommonsWare May 16 '13 at 14:14
  • @CommonsWare I guess that :) And how I can try to protect from the 97% of the people who use my app? – Viktor Apoyan May 16 '13 at 14:16
  • 1
    "And how I can try to protect from the 97% of the people who use my app?" -- do nothing. 97% of your users have no access to the APK contents or internal storage. The 3% who do can do what they want, because it is **their data**, not yours. Once it is on their device, it is their data, not yours. If you do not want it to be their data, then do not put it on their device. For example, use a different URL that does not embed a username and password in it. – CommonsWare May 16 '13 at 14:18
  • @CommonsWare And if I crypt data before adding it or I get crypt data from the server and than decrypt it in the place where I must use it in app. I guess I can't keep it in that case too. As 3% can access to my codes and get algorithms of decription and encryption. Am I right? – Viktor Apoyan May 16 '13 at 14:22
  • "As 3% can access to my codes and get algorithms of decription and encryption. Am I right?" -- anyone who can get at the data can get at the APK and can arrange to have it reverse-engineered to get at your algorithms and keys. – CommonsWare May 16 '13 at 14:25
  • SqlCipher can do database encryption and to secure your url you can also use "POST" methods and encrypted data. – Chintan Rathod May 16 '13 at 14:27
  • @CommonsWare So there is no way to keep any data secure if it is in someones pocket not yours. And what about Chintan Rathod suggestion? – Viktor Apoyan May 16 '13 at 14:28
  • "And what about Chintan Rathod suggestion?" -- anyone who can root their device can get at the encryption key used with SQLCipher. – CommonsWare May 16 '13 at 14:36
  • @CommonsWare, what will you say about ProGaurd? – Chintan Rathod May 16 '13 at 14:39
  • @ChintanRathod: For something as simple as finding an DRM encryption key (and what VITO Brothers wants to do boils down to DRM), ProGuard will not be a major impediment. – CommonsWare May 16 '13 at 15:28
  • Also note that if you're using HTTP, rather than HTTPS, someone can get at your data even without a rooted device. They can just sniff the packets or use a proxy. – Laurence Gonsalves May 16 '13 at 16:11

2 Answers2

0
  1. use HttpRequest apis to get the data instead of using browser intent.
  2. In your case I don't see any perfect protection engineering. Any one with a primary reverse engineering knowledge can get the data from your code.
stinepike
  • 54,068
  • 14
  • 92
  • 112
  • 1.I don't use browser intent. I use HTTPClient and HTTPGet. So but data on the server is protected with password. 2. And how data protection can be done, if not in my case ? – Viktor Apoyan May 16 '13 at 14:11
0

I think you should go for ProGuard. I know its very hard to prevent from reverse-engineering. Following are some post which give some knowledge about this.

Protecting Your Android Applications is an article which describes necessary information about ProGuard.

Read FAQ to know more.

To protect database, use SQLCipher.

Community
  • 1
  • 1
Chintan Rathod
  • 25,864
  • 13
  • 83
  • 93