11

I want to know how safe it is to pack the database with the application in android. Can the database be easily accessed by the users? As the database that I have will have data which I dont want to be hacked by users for misuse, what is the best way to protect the database in mobile apps?

Also my application would use web service(contacting my own website) e.g. http:\www.mysite.com/services/xxx

My site will in turn return some data to the mobile app. If someone decompiles the java code(in apk), he will easily get access to the URL i am using for web service. How can i protect my data on website to be attacked by malicious users. If anyone gets to know the URL, he can simply type that URL in browser and get all data in json format which i dont want as that data can be quite sensitive. Even if I keep it encoded, then the user can get to know the encoding from the java code(which he gets after decompiling apk).

How to keep my DB safe from being misused?

If my application is to show the local places like restaurants, bars etc on mobile should i always fetch them from the website using web service or provide a local database with these details so that information can be fetched quickly. In this case , I can provide a UPDATE web servcie which will update the local database. But security of local DB is of great concern to me.

Can anyone please suggest where to keep the DB and how to safeguard it?

Rgds, Sapan

Sapan
  • 1,593
  • 3
  • 24
  • 34

3 Answers3

8

Local databases and your apk file can be read by any rooted device easily. This tool can even decompile your resources as explained in this youtube tutorial (I never tried that myself actually).

So you would have to store your data encrypted in your database and decrypt it form your application code to be sure that noone can access it by simply getting the database form the data directory of his device.

You shouldn't put your sensitive data (like passwords etc) in the resource folder, because it can be decompiled, put it in your code.

Now some words to your JSON API. Hiding the URL is not enough, since the user can track your requests easily by a sniffer and get that anyway. You should provide a authentication mechanism to protect unauthorized access and also protect your communication by SSL. (E.g. using HTTP authentication - makes only sense when your server provides SSL.)

This are the things you should think about and decide yourself how sensitive your data actually is.

Knickedi
  • 8,742
  • 3
  • 43
  • 45
  • Can you provide more information on setting a authentication mechanism to protect unauthorised access? I am relatively new to this domain. So any help will be really great.. – Sapan Sep 26 '11 at 05:33
  • Me too, hehe ;-) I will do some research and update my answer when I find some useful information for that. – Knickedi Sep 26 '11 at 05:49
  • I added a wikipedia link :-D HTTP authentication might be the most general solution for request protection. – Knickedi Sep 26 '11 at 14:46
2

As far as I understand you're going to:

  1. Pack initial DB in your APK file (say with res/asset folder)
  2. During first run explode DB file from res/asset to application data folder
  3. Then from to time fetch data into DB from website/webservice

In this case there are basically 2 vulnerabilities (stored data I mean):

  1. Initial DB image, since it's packed with APK (which is in real life just ZIP archive), so anyone can unpack and see what's packed in your DB
  2. DB file stored in application data folder (usually /data/data/MY_APPLICATION_PACKAGE/databases). This folder is accessible on rooted device, so again your data can easily be screened

The only option to be secured is to encrypt your database content. Easiest way to do it to store sensitive data in BLOBs (in form of XML of JSON) and encrypt/decrypt those BLOBs after/before actual usage of certain records.

Myself personally did it in my app - and it works well.

Barmaley
  • 16,638
  • 18
  • 73
  • 146
  • thanks for the answer...As I am not an expert in database, will it be possible for you to provide a simple example. Will Proguard also help in securing database within apk? – Sapan Sep 26 '11 at 05:28
  • @Sapan Look for references here http://stackoverflow.com/questions/6043984/sqlite-encryption-for-android Concerning Proguard obfuscation - it doesn't help you to secure DB, it's only obfusate your code – Barmaley Sep 26 '11 at 06:42
  • Thanks a lot for the pointers.. I will definitely go thru the references and let you know if that suits my needs or not..sqlcipher seems to be a good option but its a developer release only as of now...any idea on how to protect web service requests to avoid unauthenticated access? – Sapan Sep 26 '11 at 07:39
1

check this links for protecting your apk file for decompile

How to make apk Secure. Protecting from Decompile

Protecting Android apk to prevent decompilation, network sniffing etc

decompiling DEX into Java sourcecode

Community
  • 1
  • 1
Pratik
  • 30,639
  • 18
  • 84
  • 159
  • Hi Prateek..thanks for the valuabale information...I am now thinking of using Proguard in my app to make decompiling difficult. I still need to find out how to make web service requests and database secure. – Sapan Sep 26 '11 at 05:42