8

I have implemented SQLCipher in my Android application to make it's database secure. SQLCipher needs a key to encrypt database file. The problem I am facing is key protection, if my application is used on a rooted device or is reverse engineered then my key will be exposed and database can be decrypted.

Please note that my application doesn't ask for password every time user opens it and thus user entered password can't be used as the key. I want to implement behavior like facebook, whatsapp applications, which encrypts data using private-key/key without asking any password and keeps the users logged in all the time. Where and how these applications store their key?

Please suggest a solution/algorithm that will protect the key.Also, does Android OS provides any such functionality for data protection/management?

piet.t
  • 11,718
  • 21
  • 43
  • 52
Syed Taruf Naqvi
  • 507
  • 3
  • 18
  • 1
    An add-on to Talha's solution: You can use [EncryptedSharedPreferences](https://developer.android.com/topic/security/data#edit-shared-preferences) from the Jetpack library. – Steven Ng Sep 08 '21 at 20:50

2 Answers2

9

You can use Andriod Keystore to encrypt your SQLCipher password.

I had the same issue while ago, where SQLCipher was used to secure data, but password itself was not. This allowed a security flaw where a simple decompilation would reveal the password as it was in the form of string constant.

My solution was:

  • Generate a random number when app starts at first. (You can change this behaviour for whatever suits you)
  • Encrypt this number using Android Keystore.
  • The original form of the number is gone once its encrypted.
  • Save this in Prefs.
  • Now, whenever SQLCipher needs password, it will decrypt it and use it.
  • Since Android Keystore is providing keys at runtime, and keys are strictly app specific, it will be hard to break this database.
  • Although everything can be broken but this approach will make it a lot harder for the attacker to retrieve data from DB, or DB password.

Here is a sample project I made which also has a SQLCipher use case same as yours.

Encryption Helper for Encrypting Passwords

Use case for SQLCipher

Note that the term you are using as encryption key is used as password/number for DB in above discussion.

Talha
  • 903
  • 8
  • 31
  • What certificate your Android key store was using when you encrypted the number using AndroidKeystore? – Syed Taruf Naqvi Mar 08 '18 at 12:56
  • 1
    Keystore must have its default certificate since I did not specified it in the start of the following file, you can check [this source code](https://github.com/talhahasanzia/android-encryption-helper/blob/master/encryption-helper/src/main/java/com/thz/keystorehelper/KeystoreHelper.java) which has declarations of Certificate Authority and Algorithms used etc. – Talha Mar 08 '18 at 13:17
  • 1
    have a look at this: [How java keytool works](https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores) – Talha Mar 09 '18 at 06:40
  • Your use case link is broken. – Yoann Hercouet Oct 25 '18 at 15:14
  • 1
    Updated the link* – Talha Nov 01 '18 at 07:09
  • 1
    Nicely explained – sandulasanth-7 Nov 28 '22 at 08:46
-1

Personally, I use substring to select sequences or unique characters from String values, then I concatenate it to get my key, it's pretty barbaric but I do not have found other effective solution.

Jimmy Cram
  • 71
  • 2
  • 2