Is AIR's database encryption secure enough for this use case?

Question

We are planning a desktop client application with Adobe AIR. The client app will be delivered to our customers with a database, which contains monthly updated marketing data provided by our company. As different customers will buy different sets of data from us, for example, a customer is only interested in marketing data in a specific product category, while another customer need all data in a certain region. After a customer installs this client app, new data will be emailed to the customer every month.

So, the requirement is to keep the data accessible only by the customer who bought it. After reading through AIR's secure local store and database encryption feature, I came up with the following design: each customer will have his own secret key (stored in AIR's secure local store), the secret key is used to encrypt the data that the customer has purchased. Of course, the monthly data that we sent to the customer will be encrypted using the same secret key.

So my questions are: is AIR's database encryption and secure local store secure enough for this use case? If someone gets the encrypted database file, can he decrypt the DB?

Answer 1

I think the encrypted stores in AIR are as safe as the OS itself. I would worry more about the other parts of the design. For example, how are you installing the secret key on each client?

The trend nowadays is to build a thin-client and have everything accessed through the internet. The client-specific data would be provided by your server after authentication. This approach might prove to be easier to deploy.

Overall, I think your approach sounds solid.