1

I'm writing simple offline dictionary application. All data is stored on SQLite database.

If we assume that database is encrypted, app must use some kind of key, in order to have access to it. Also, we assume that this application is completely offline and does not access to any remote servers.

That means that key will be stored in apllication itself. I was trying to find out a lot of methods of hiding this key in app and all of them are flawed.

Is it even possible to hide this key implicitly in app itself?

Mr.D
  • 7,353
  • 13
  • 60
  • 119
  • 1
    You want a constant key to decrypt your database? Nope, not possible. But even if it would be, how can you prevent brute forcing the key to decrypt the database? – Jörn Buitink Feb 22 '16 at 07:44
  • Check out this : http://stackoverflow.com/questions/2203987/android-database-encryption – Haresh Chhelana Feb 22 '16 at 07:49
  • @JörnBuitink, I think that AES-256 has pretty well protected from brute force if we use correct combination of key. https://www.reddit.com/r/theydidthemath/comments/1x50xl/time_and_energy_required_to_bruteforce_a_aes256/ – Mr.D Feb 22 '16 at 07:51
  • What is the encryption supposed to accomplish? If your app automatically decrypts the data and displays it, it isn't protected much, is it? – CL. Feb 22 '16 at 07:51
  • @CL I want to make data available to read only via app excluding the possiblity to use raw database after decompilation. – Mr.D Feb 22 '16 at 08:06
  • What is the difference between an authorized user executing your app, and an evil user executing your decompiled app? – CL. Feb 22 '16 at 08:09
  • @CL. Evil user will extract database file and will try to use it for his own gain. I need to hide key in app so this evil user won't be able to decrypt it. – Mr.D Feb 22 '16 at 08:17
  • 2
    Hiding is *not possible* because your app must be able to actually use the key. – CL. Feb 22 '16 at 08:20
  • @CL Sad but true. Could you write your own opinion as answer to this question so I can accept it? This may help for future users who will try to ask same question. Can you also suggest how to keep that kind of data safe even if it requires some kind of remote backend? – Mr.D Feb 22 '16 at 08:35

1 Answers1

1

If the app automatically displays data, it is not possible to protect that data.

Your app must store the key somewhere. Regardless of how much you try to obfuscate your code, it is still possible to decompile it (or just execute the obfuscated part, until the key comes out).

Or looking at it in a different way: hiding the key is a form of encryption. So now you need a second key to encrypt/decrypt the first key. (But with obfuscation, the 'key' is the program structure, which is less secure than a real cryptographic algorithm.)

The only way to protect the data would be to avoid storing the key by requiring the user to enter the key (as a password, or some separate token) whenever the app is to be used. This implies that the user is trusted not to give the key away.

CL.
  • 173,858
  • 17
  • 217
  • 259
  • Even If I send keys to user via server, it still can be cracked just because database is stored locally on app? – Mr.D Feb 22 '16 at 10:25
  • How could the server differentiate between the real app and an evil app? – CL. Feb 22 '16 at 12:09