0

I have a DB existing that I copy on the device, and I can access with no problem. The problem, is that I must put a password to it (SQLCipher, I used "DB Browser for SQLite" to put that password), but now I want to access it by passing the password programmatically. Here is my code: 

  public class DatabaseAccess {
        private SQLiteOpenHelper openHelper;
        private SQLiteDatabase database;
        private static DatabaseAccess instance;

        private DatabaseAccess(Context context, String db_name) {
            this.openHelper = new DBHelper(context, db_name);
        }


        public static DatabaseAccess getInstance(Context context, String db_name) {
                instance = new DatabaseAccess(context, db_name);
            return instance;
        }

Thanks in advance.

ΩlostA
  • 2,501
  • 5
  • 27
  • 63
  • Use [SQLCipher for Android](https://github.com/sqlcipher/android-database-sqlcipher) instead of ordinary SQLCipher. Note that your encryption is useless, since anyone can find the passphrase. Since SQLCipher makes your app a lot larger, you would be better served just using an ordinary un-encrypted SQLite database. – CommonsWare Aug 01 '19 at 14:49
  • @CommonsWare Is there anyway like on iOS to protect the access to the files directly without encrypting it ? – ΩlostA Aug 01 '19 at 14:52
  • Databases by default are inaccessible to ordinary users. Only a user who roots their device can get to your app's portion of [internal storage](https://commonsware.com/blog/2017/11/13/storage-situation-internal-storage.html), which is where a database will be placed by default. – CommonsWare Aug 01 '19 at 14:58
  • @CommonsWare I simply installed Android File Transfer, and I can access to it very easily. With the GDPR policy, it is not secure. Is there something that I don't to well? – ΩlostA Aug 01 '19 at 15:01
  • "I simply installed Android File Transfer, and I can access to it very easily" -- I do not know what "Android File Transfer" is. Developer tools, like Android Studio's Device File Explorer, can access internal storage, but only for debuggable apps. The app that you ship should not be using a debug signing key. "With the GDPR policy, it is not secure" -- it's the user's own data, on their own device. By your argument, every desktop program that stores data locally (e.g., Notepad) is in violation of GDPR, which I would find very surprising. – CommonsWare Aug 01 '19 at 15:08
  • @CommonsWare The problem is that a person can install our app from the Play Store and access to the DB, which contains lots of secured informations. On the iOS, nobody can access to the "library folder" except the developper. On Android (may be it is not correct), it seems that every body that install Android File transfer for example can access to the all files of the app ? – ΩlostA Aug 01 '19 at 15:23
  • 1
    "On Android (may be it is not correct), it seems that every body that install Android File transfer for example can access to the all files of the app ?" -- if you are referring to your APK, and your database copy packaged as an asset, yes, anyone can get to that. They can also get to the encryption passphrase to be able to decrypt it. They cannot get to the copy of that asset that you make on internal storage, without rooting their device. If the asset itself has "secured informations", do not package it as an asset. – CommonsWare Aug 01 '19 at 15:36
  • @CommonsWare In fact, I download it from my server when the user connect. I download the all SQLite. What I would do, is protect it directly on the server, download it, and use a password do use it. Is it possible you think? Or anyone can check the "code" with the password in it ? – ΩlostA Aug 01 '19 at 16:52
  • 1
    "Or anyone can check the "code" with the password in it ?" -- if the password is in your app, people can get to the password. – CommonsWare Aug 01 '19 at 16:54
  • @CommonsWare What is the securiest way, you think? This ? https://stackoverflow.com/questions/4275311/how-to-encrypt-and-decrypt-file-in-android – ΩlostA Aug 01 '19 at 16:57
  • Do not put the data on the device. Keep it on the server and access it via a Web service. What you are asking for is DRM, and I do not have any DRM recommendations. – CommonsWare Aug 01 '19 at 16:59
  • @CommonsWare We are agree that if I put a password of the SQLite for example in my code, nobody can check the code from the playStore ? None who download the app can check the source code? – ΩlostA Aug 02 '19 at 12:33
  • 1
    The *source code* will not be on the user's device when they install your app. The APK will, and the APK will have your password. – CommonsWare Aug 02 '19 at 12:46
  • @CommonsWare ah ok, but it is okay for me. Nobody will have the APK except me. So I can put a SQLite protected with a SQLCipher password on the server, the password in the source code to decrypt it? – ΩlostA Aug 02 '19 at 12:52
  • "Nobody will have the APK except me" -- your users have the APK. That is what you distribute to them, after all. And any user, without root, has access to the APK. "So I can put a SQLite protected with a SQLCipher password on the server, the password in the source code to decrypt it?" -- yes. – CommonsWare Aug 02 '19 at 12:54
  • @CommonsWare If I download for example the "Spotify app" from the PlayStore, I won't have the APK with the code source ? – ΩlostA Aug 02 '19 at 12:56
  • APK != source code. An APK is what you get when you compile the source code. An APK is what you upload to the Play Store. An APK is what the user downloads from the Play Store. The APK contains your compiled code, and in your case the APK will include your password. It is very easy for somebody to get your APK off of a device and decompile it, to get what looks a bit like source code. – CommonsWare Aug 02 '19 at 13:02
  • @CommonsWare but how the people can read the password that is simply in the source code compiled on the Play Store? – ΩlostA Aug 02 '19 at 13:04
  • 1
    By looking at it. Research "decompile" with respect to Android development. – CommonsWare Aug 02 '19 at 13:10
  • @CommonsWare Is that true? https://stackoverflow.com/questions/43752446/how-to-decompile-an-android-app-from-the-google-play-store – ΩlostA Aug 02 '19 at 13:24
  • 1
    Yes, that question and answer are discussing decompiling an Android app. There is quite a bit of material on this subject online, though mostly not in Stack Overflow. – CommonsWare Aug 02 '19 at 13:25

0 Answers0