0

Hello I have an android application. In my app I have a SQLite database stored on the device that should be synchronized with a MySQL database stored on the server.

Now I have to retrieve a list of IDs. I can do it querying the SQLite database or the MySQL database. I chose to use the SQLite database because it'd be much faster and easier considering what I have to do. But now I was thinking about it and I have a question: Are the android SQLite database files safe? I mean is there a possibility that someone access these files and modify information inside them or are they hidden to users?

Because if I ask information from the server I'm sure that it is safe, instead I don't know the security level of android databases.

Let's suppose that each ID corresponds to an application ID I paid for (for example application 3 and 5). When I find a way to modify the android database and so adding also application 7 and 8 it would seem to the device that I've paid also for these applications instead I didn't and I can't use them. That's why I was thinking to query the MySQL database, because the user can't modify it, but this way it's gonna be slower. What do you think?

Knickedi
  • 8,742
  • 3
  • 43
  • 45
Sgotenks
  • 1,723
  • 4
  • 20
  • 34
  • I'm sorry for the drastic edit of your question but using ..... and ??? doesn't improve the readability and the question quality ;-) – Knickedi Oct 19 '11 at 14:30

3 Answers3

2

Ideally data stored in your apps private /data directory would be private, but if someone roots their phone they have unfettered access to it. Its best to design based on the assumption that your on-phone database is unsafe without encryption and even then it's still possible that users can try to break in.

Pedantic
  • 5,032
  • 2
  • 24
  • 37
  • +1 not encrypted data on your device is never safe, especially if it is really sensitive. Take a look at [Android: How safe is database packed with application](http://stackoverflow.com/questions/7550672/android-how-safe-is-database-packed-with-application) – Knickedi Oct 19 '11 at 14:17
0

Please check these option too, they might help anyone who want to secure the database.

SQLCipher for Android

1- android Sql3 wrapper library

2- libsqlite3_jni.so

also please read the article below are make your search on the option above, i hope this would help much.

http://www.findbestopensource.com/product/sqlite3-android

Note:

you can secure your device fully as if the device will be rooted by anyone. So use some other secure way like secure the database with 2 factor authentication and password protected.

In case someone rooted your device at least you should have some password protected file .

Riz
  • 123
  • 1
  • 3
0

With a rooted device, a user could easily add / remove / modify existing records in the database.

One thing you could do, is compute an MD5 hash of the rows in your DB and compare it against a hash you have stored on your MySQL server for that particular user before accepting the "paid" values of your local cache database. This approach may or may not be acceptable to you because obviously it requires an internet connection.

Justin Breitfeller
  • 13,737
  • 4
  • 39
  • 47