7

I am creating an app where the user does some things during a game, and these actions are logged in a SQLite-database. At the end of the game the app presents these logs through a screen, which are read by the game administrators (like, physically read by the game administrators watching the screen). Is there some ways for the contestants to manipulate the database, and if not, what security measures prevent them from doing this?

runaros
  • 1,821
  • 4
  • 20
  • 25
  • So you want to connect to the Android Device and read the Data stored in the Apps `SQLiteDatabase`? – Lukas Knuth May 23 '11 at 12:28
  • To be more specific: I want to prevent the users (which are not the developers) of the app to manipulate the database. For all practical purposes we can also assume that the phone is offline, there is no communication with the game servers (or game officials) until the very end of the game. – runaros May 23 '11 at 12:47

5 Answers5

11

The database is stored under /data/data/your.applications.package/databases. Normally this location could only be access by the user the Android OS created for the app. No other user is able to access this location unless the device is rooted. Then any user can access any location on the phone and manipulate the data.

So if you want to prevent users from cheating you need some way to check if the values in the database are untouched. Perhaps you can store some kind of fingerprint on a server to check this.

Volo
  • 28,673
  • 12
  • 97
  • 125
Flo
  • 27,355
  • 15
  • 87
  • 125
  • This is also accessible on all official Google Dev devices. Also, if user needs server to authenticate database, why not send the result to the server (at the moment they are changed). – Peter Knego May 23 '11 at 14:21
  • 1
    Even storing the fingerprint in the database itself is good too (relying on internet connectivity is bad for the user experience). because its easy to change database values, even my 15year old daughter knows how to change database values on android for cheating in games. its harder to change and recompile program code on a rooted device. – hamish Dec 03 '16 at 02:57
2

Yes, users can examine and change the database when connected over USB via ADB: http://developer.android.com/guide/developing/tools/adb.html#shellcommands

Update:

This only works on rooted devices or official Google Dev devices: Why do I get access denied to data folder when using adb?

Still, this would allow users to access database and change game results. So you can not rely on databse not being accessible..

Community
  • 1
  • 1
Peter Knego
  • 79,991
  • 11
  • 123
  • 154
  • I don't think so, not without it being rooted because every time I tried to issue a command I'd get access denied. Edit - I just tried it, no you can't change or examine database information just by using adb shell and usb. – Hades May 23 '11 at 12:43
  • 1
    Ahh, yes. It must be rooted or a official Google dev device (this ia what I have): http://stackoverflow.com/questions/1043322/why-do-i-get-access-denied-to-data-folder-when-using-adb – Peter Knego May 23 '11 at 13:12
2

Yes, you can do it programatically, as long as you are the developer. Here is the Android docs for SQLiteDatabase.

Here are some links for working with SQLiteDatabases programatically:

  1. From Android docs
  2. From a blog
  3. From another blog

The SQLiteDatabase in an application should be 'sandboxed' to that specific application, meaning that no other application should be able to get to that data, as long as the developer didn't provide access to it with a ContentProvider. So to answer your final question, no, there should not be a way for contestants to manipulate the database, except in ways that the developer has already allowed.

nicholas.hauschild
  • 42,483
  • 9
  • 127
  • 120
0

Unless you issue the devices to users and you carefully watch what they do with them, to be secure against anyone determined, you need to digitally sign the entries in the database using a mechanism hidden in strongly obfuscated application code. And even that only makes it harder.

Note that using a server does not help unless a key part of the game logic itself is implemented in the server; if the user knows how to fake your signing mechanism to write fake database entries, they can also send fake reports to your server.

Chris Stratton
  • 39,853
  • 6
  • 84
  • 117
-1

You can use Proguard to obfuscate your code.

Also have the database be unique with a particular id according to the device id with some sort of server callback, to validate the database.

Hades
  • 3,916
  • 3
  • 34
  • 74
  • 1
    In what way can obfuscation of the code prevent the users from manipulating the database? – runaros May 23 '11 at 12:49
  • 1
    Not directly, it helps in a way that the hacker won't know the database name or columns just by reverse engineering the code. But I guess there are better ways. – Hades May 23 '11 at 13:01