Reputation: 1842
Is it possible to access the SQLite-database of an Android-app on my phone?
I am creating an app where the user does some things during a game, and these actions are logged in a SQLite-database. At the end of the game the app presents these logs through a screen, which are read by the game administrators (like, physically read by the game administrators watching the screen). Is there some ways for the contestants to manipulate the database, and if not, what security measures prevent them from doing this?
Upvotes: 8
Views: 26971
Answers (5)
Reputation: 27455
The database is stored under /data/data/your.applications.package/databases. Normally this location could only be access by the user the Android OS created for the app. No other user is able to access this location unless the device is rooted. Then any user can access any location on the phone and manipulate the data.
So if you want to prevent users from cheating you need some way to check if the values in the database are untouched. Perhaps you can store some kind of fingerprint on a server to check this.
Upvotes: 11
Reputation: 40407
Unless you issue the devices to users and you carefully watch what they do with them, to be secure against anyone determined, you need to digitally sign the entries in the database using a mechanism hidden in strongly obfuscated application code. And even that only makes it harder.
Note that using a server does not help unless a key part of the game logic itself is implemented in the server; if the user knows how to fake your signing mechanism to write fake database entries, they can also send fake reports to your server.
Upvotes: 0
Reputation: 80340
Yes, users can examine and change the database when connected over USB via ADB: http://developer.android.com/guide/developing/tools/adb.html#shellcommands
Update:
This only works on rooted devices or official Google Dev devices: Why do I get access denied to data folder when using adb?
Still, this would allow users to access database and change game results. So you can not rely on databse not being accessible..
Upvotes: 3
Reputation: 3936
You can use Proguard to obfuscate your code.
Also have the database be unique with a particular id according to the device id with some sort of server callback, to validate the database.
Upvotes: -1
Reputation: 42834
Yes, you can do it programatically, as long as you are the developer. Here is the Android docs for SQLiteDatabase.
Here are some links for working with SQLiteDatabases programatically:
The SQLiteDatabase in an application should be 'sandboxed' to that specific application, meaning that no other application should be able to get to that data, as long as the developer didn't provide access to it with a ContentProvider. So to answer your final question, no, there should not be a way for contestants to manipulate the database, except in ways that the developer has already allowed.
Upvotes: 2
Related Questions
- Examining SQLite database of my Android app?
- Get SQLite database from Android app
- Android - viewing SQLite databases on device?
- Viewing the Database for Android App?
- How to access the Sqlite Database in Android?
- How to get access of Android application database in android mobile devices?
- How can I see the contents of a sqlite db of my app in a real device?
- is there some way I can view a SQLite db?
- Is it possible for a Android application to extract the SQLite databse from another application?
- Is it Possible to access the sqlite3 db of one application from other in Android?