2

I have an app in which I have added Export/Import DB functionality... I want to do two things:

1) When exporting: Scramble the exported database so that normal folks (I know that some people can decode the best camouflage techniques) cannot read the contents...

2) When importing: Verify the file being imported to make sure that it is something that will work with my app and not anything else.

I have seen some links here about encryption that can address the 1st point here. But I dont want to do encryption. I want to do some simple scrambling. And I have seen some posts about verifying the table contents by checking for the tables that my application looks for. That is a good solution but i need to load the file first to verify and roll back if there are errors.

Any help would be greatly appreciated...

Sriman
  • 788
  • 9
  • 25

3 Answers3

1

very very simple way: add some header to the file which you can later read back in and check:

// w/o exception handling finally etc
String secret = "zomg,secret";
byte[] header = secret.getBytes();
byte[] buffer = new byte[4096];
FileInputStream in = new FileInputStream("/your/sqlite.db");
FileOutputStream out = new FileOutputStream("/sdcard/the.secretfile");
out.write(header);
int read = 0;
while ((read = in.read(buffer)) != -1) {
    out.write(buffer, 0, read);
}
out.close();
in.close();
zapl
  • 63,179
  • 10
  • 123
  • 154
  • Thanks.. I have thought about this method... But wanted to check if something better is available before I go with this.. – Sriman Mar 18 '12 at 13:21
  • you can also write some extension to `InputStream` and `OutputStream` that does some encryption / scrambling. Or wrap all this in e.g.http://docs.oracle.com/javase/1.4.2/docs/guide/security/jce/JCERefGuide.html#CipherInput – zapl Mar 18 '12 at 13:36
  • Thanks... so I finally settled to doing DES encryption using cipherinputstream and instead of adding a header to verify the integrity, I am checking to see if all my table names are present in the file being imported. I saw that the sqlite DB file has the ddl statements in clear text. – Sriman Mar 19 '12 at 04:12
0

The best and simple way to deal with this is to generate Checksum (MD5) of your database file and compare with your per-calculated one. For more info

Community
  • 1
  • 1
waqaslam
  • 67,549
  • 16
  • 165
  • 178
  • Thanks. I thought the MD5 will vary based on the data in the file. How can I pre-calculate it to compare against the generated MD5 for the file being imported.... – Sriman Mar 18 '12 at 13:18
  • simply calculate your MD5 first (http://www.softpedia.com/get/Security/Encrypting/TS-MD5-Generator.shtml) and save the result in your code for comparison purpose. Later when the database is saved/copied on SD card, re-generate its MD5 and compare it with the one in your code. Refer to the link in my answer for generating MD5 programmatically – waqaslam Mar 18 '12 at 15:01
  • I think you have misunderstood my requirement. The database I will be exporting/importing is variable. It can changed from installation to installation based on how the users use it. So I can never save a constant MD5 in a code and use it for comparison purposes. – Sriman Mar 18 '12 at 21:55
  • where does your database come from? and is there per-defined type and contents of databases? – waqaslam Mar 18 '12 at 22:26
  • Database is created within the app. It will have pre defined empty tables that will be filled up by the user – Sriman Mar 19 '12 at 04:08
0

So I finally settled to doing DES encryption using cipherinputstream and instead of adding a header to verify the integrity, I am checking to see if all my table names are present in the file being imported. I saw that the sqlite DB file has the ddl statements in clear text. This is probably not the most elegant/complete solution but it works.

Sriman
  • 788
  • 9
  • 25