Android uses SQLite database to store data, I need to encrypt the SQLite database, how can this be done? I understand that application data is private. However I need to explictly encrypt the SQLite database that my app is using.
相关问题
- How can I create this custom Bottom Navigation on
- Bottom Navigation View gets Shrink Down
- How to make that the snackbar action button be sho
- Listening to outgoing sms not working android
- How to create Circular view on android wear?
Databases are encrypted in order to prevent
INDIRECT ATTACKS
. This term and classes: KeyManager.java, Crypto.java are taken from Sheran Gunasekera book Android Apps Security. I recommend all this book to reading.INDIRECT ATTACKS
are so named, because the virus does not go after your application directly. Instead, it goes after the Android OS. The aim is to copy all SQLite databases in the hopes that the virus author can copy any sensitive information stored there. If you had added another layer of protection, however, then all the virus author would see is garbled data. Let’s build a cryptographic library that we can reuse in all our applications. Let’s start by creating a brief set of specifications:Uses symmetric algorithms: Our library will use a symmetric algorithm, or block cipher, to encrypt and decrypt our data. We will settle on AES, although we should be able to modify this at a later date.
Uses a fixed key: We need to be able to include a key that we can store on the device that will be used to encrypt and decrypt data.
Key stored on device: The key will reside on the device. While this is a risk to our application from the perspective of direct attacks, it should suffice in protecting us against indirect attacks.
Let’s start with our key management module (see Listing 1). Because we plan to use a fixed key, we won’t need to generate a random one as we did in the past examples. The KeyManager will therefore perform the following tasks:
setId(byte[] data)
method)setIv(byte[] data)
method)getId(byte[] data)
method)getIv(byte[] data)
method)(Listing 1. The KeyManager Module KeyManager.java)
Next, we do the Crypto module (see Listing 2). This module takes care of the encryption and decryption. We have added an
armorEncrypt()
andarmorDecrypt()
method to the module to make it easier to convert the byte array data into printable Base64 data and vice versa. We will use the AES algorithm with Cipher Block Chaining (CBC) encryption mode and PKCS#5 padding.(Listing 2. The Cryptographic Module Crypto.java)
You can include these two files in any of your applications that require data storage to be encrypted. First, make sure that you have a value for your key and initialization vector, then call any one of the encrypt or decrypt methods on your data before you store it. Listing 3 and Listing 4 contain an simply App-example of these classes using. We create an Activity with 3 Buttons Encrypt, Decrypt, Delete; 1 EditText for data input; 1 TextView for data output.
(Listing 3. An example. MainActivity.java)
(Listing 4. An example. activity_main.xml)
If the database will be small, then you could gain a small amount of security by decrypting the whole file to a temp location (not on sd card), then re-encrypting when you've closed it. Problems: premature app death, ghost image on media.
A slightly better solution to encrypt the data fields. This causes a problem for WHERE and ORDER BY clauses. If the encrypted fields need to be indexed for equivalence searching, then you can store a cryptographic hash of the field and search for that. But that doesn't help with range searches or ordering.
If you want to get fancier, you could delve into the Android NDK and hack some crypto into C code for SQLite.
Considering all these problems and partial solutions, are you sure you really need a SQL database for the application? You might be better off with something like a file that contains an encrypted serialized object.
You can certainly have a encrypted SQLite database on Android. You can't do it with the out of the box Google provided classes, however.
A couple alternatives:
SQLCipher is an SQLite extension that provides transparent 256-bit AES encryption of database files.
Earlier sqlcipher which is Open Source Full Database Encryption for SQLite was not available for android. But now it's available as alpha release for android platform. Developers have updated the standard android application 'Notepadbot' to use SQLCipher.
So this is definitely the best and simplest option as of now.
http://sqlite-crypt.com/ may help you to create an encrypted database, though I've never used it on android seems to be possible with the source code.