Reputation: 507
How to protect my encryption key in Android?
I have implemented SQLCipher in my Android application to make it's database secure. SQLCipher needs a key to encrypt database file. The problem I am facing is key protection, if my application is used on a rooted device or is reverse engineered then my key will be exposed and database can be decrypted.
Please note that my application doesn't ask for password every time user opens it and thus user entered password can't be used as the key. I want to implement behavior like facebook, whatsapp applications, which encrypts data using private-key/key without asking any password and keeps the users logged in all the time. Where and how these applications store their key?
Please suggest a solution/algorithm that will protect the key.Also, does Android OS provides any such functionality for data protection/management?
Upvotes: 8
Views: 2850
Answers (2)
Reputation: 911
You can use Andriod Keystore to encrypt your SQLCipher password.
I had the same issue while ago, where SQLCipher was used to secure data, but password itself was not. This allowed a security flaw where a simple decompilation would reveal the password as it was in the form of string constant.
My solution was:
- Generate a random number when app starts at first. (You can change this behaviour for whatever suits you)
- Encrypt this number using Android Keystore.
- The original form of the number is gone once its encrypted.
- Save this in Prefs.
- Now, whenever SQLCipher needs password, it will decrypt it and use it.
- Since Android Keystore is providing keys at runtime, and keys are strictly app specific, it will be hard to break this database.
- Although everything can be broken but this approach will make it a lot harder for the attacker to retrieve data from DB, or DB password.
Here is a sample project I made which also has a SQLCipher use case same as yours.
Encryption Helper for Encrypting Passwords
Note that the term you are using as encryption key is used as password/number for DB in above discussion.
Upvotes: 9
Reputation: 71
Personally, I use substring to select sequences or unique characters from String values, then I concatenate it to get my key, it's pretty barbaric but I do not have found other effective solution.
Upvotes: -1
Related Questions
- How can I protect data in a SQLite database in Android?
- How to encrypt android sqlite database?
- Encrypt SQLite database
- How to use SQLCipher or any encryption and decryption techniques in Android SQLite database
- Protect key used to decrypt encrypted database with sqlcipher in Android app
- encrypt sqlite database Android:
- Am I encrypting correctly with SQLCipher?
- how to encrypt and decrypt my application database in android
- How to encrypt/decrypt in SQLCipher
- Secure key for android database