SQLite Database (secure?)

Showing 1-9 of 9 messages
SQLite Database (secure?) svebee 9/26/10 4:10 PM
I just have one simple question, is it possible to extract (and read
records) SQLite Database out of Android application/.apk file/...)?

Because I have some important information in it, so I wanna be sure
it's pretty secure (only application has access to it)?

Thank you.
Re: [android-developers] SQLite Database (secure?) Mark Murphy 9/26/10 4:16 PM

Users with rooted phones can get access to any files they want.
Otherwise, databases in the conventional on-board flash location are
secure.

--
Mark Murphy (a Commons Guy)
http://commonsware.com | http://github.com/commonsguy
http://commonsware.com/blog | http://twitter.com/commonsguy

Android App Developer Books: http://commonsware.com/books

Re: SQLite Database (secure?) William Ferguson 9/26/10 5:39 PM
You could always encrypt the data in the database. See
http://stackoverflow.com/questions/2203987/android-database-encryption

It would be nice to be able to encrypt the enture DB, but that doesn't
appear to be possible.
See http://code.google.com/p/android/issues/detail?id=191


On Sep 27, 9:16 am, Mark Murphy <mmur...@commonsware.com> wrote:
> On Sun, Sep 26, 2010 at 7:10 PM, svebee <sven.kapud...@gmail.com> wrote:
> > I just have one simple question, is it possible to extract (and read
> > records) SQLite Database out of Android application/.apk file/...)?
>
> > Because I have some important information in it, so I wanna be sure
> > it's pretty secure (only application has access to it)?
>
> Users with rooted phones can get access to any files they want.
> Otherwise, databases in the conventional on-board flash location are
> secure.
>
> --
> Mark Murphy (a Commons Guy)http://commonsware.com|http://github.com/commonsguyhttp://commonsware.com/blog|http://twitter.com/commonsguy
Re: SQLite Database (secure?) DanH 9/26/10 5:52 PM
There is an open source SQLite-crypto package which I've used on
Symbian and seen used on iPhone.  But you basically have to load an
entirely new version of SQLite onto the phone, and I suspect that on
Android there's no way to switch it in in place of the existing
version, so it wouldn't interface like the built-in SQL support.
Also, of course, you'd be talking C/C++ native method coding in
buckets.

You can do your own encryption for individual columns, but you then
can't practically index/search on those columns.

On Sep 26, 7:39 pm, William Ferguson <william.ferguson...@gmail.com>
wrote:
> You could always encrypt the data in the database. Seehttp://stackoverflow.com/questions/2203987/android-database-encryption
>
> It would be nice to be able to encrypt the enture DB, but that doesn't
> appear to be possible.
> Seehttp://code.google.com/p/android/issues/detail?id=191
Re: SQLite Database (secure?) svebee 9/27/10 1:14 AM
Hmm..tnx guys. I found this as William Ferguson suggested it.

http://www.androidsnippets.org/snippets/39/

This seems to be secure, but, can someone get this code and read seed
value and therefore get access to whole database?
Re: [android-developers] Re: SQLite Database (secure?) Mark Murphy 9/27/10 4:05 AM
On Mon, Sep 27, 2010 at 4:14 AM, svebee <sven.k...@gmail.com> wrote:
> Hmm..tnx guys. I found this as William Ferguson suggested it.
>
> http://www.androidsnippets.org/snippets/39/
>
> This seems to be secure, but, can someone get this code and read seed
> value and therefore get access to whole database?

If you are trying to defend a database's owner (i.e., the device's
owner) against other people, have the owner supply a password ("seed"
in the parlance of that snippet) to use for encryption.

If you are trying to defend a database *against the device owner*,
don't put the database on the device. Or, come up with a development
and/or business model where you do not fear the user.

--

Mark Murphy (a Commons Guy)
http://commonsware.com | http://github.com/commonsguy
http://commonsware.com/blog | http://twitter.com/commonsguy

Android Training in London: http://skillsmatter.com/go/os-mobile-server

Re: SQLite Database (secure?) DanH 9/27/10 9:10 AM
As Mark says, if you're wanting to protect the data from access by
other than the owner, have the owner supply a password that is used to
generate the key (basically the "seed" to getRawKey).  If you want to
prevent access by the owner, or want to protect the data without
requiring a password, you need to use "security by obscurity".  You
might, eg, use the IMEI manipulated in some fashion through some
obfuscated methods.  (It's useful here to have the methods have
meaningful yet misdirecting names -- instead of 'computeKey" use
"getTimeAndDate", eg.  And pass the partially constructed data between
several such methods, store it in globals somewhere vs passing as a
parameter in a couple of calls, etc.  And interleave steps in the key
generation process with other unrelated processing steps.)

Of course, "security by obscurity" isn't really "secure" in any
absolute sense, but with enough obfuscation you can make it
impractical for all but the most determined bad actor to access the
data.
Re: [android-developers] Re: SQLite Database (secure?) amir elmankabady 9/27/10 1:31 AM
hi all ;
i am a new android developer, can any one help me to learn more about  sqllite and android application by pdf, websites, ...etc.
and if their is any tool like sqlserver to help me to create tables ... etc

thanks for ur help and best regards 
Amir El-Mankabady
Re: SQLite Database (secure?) DanH 9/27/10 7:15 PM
Best thing to do to learn SQLite is to go to http://www.sqlite.org/
and just start reading.  You can download a PC/Mac/Linux version of
the executables and play around with SQLite on a desktop/laptop where
experimenting is a lot easier.

And if you want a GUI instead of the command-line SQLite interface
there are several free tools available.  I use "SQLite Expert", which
I've found to be pretty good and easy to use.

Once you begin developing on Android, it's still good to know these
interfaces.  You can run the command line SQLite interface on the
phone, if you wish, and you can download a DB from the phone to study
it with one of the GUI tools.

On Sep 27, 3:31 am, amir elmankabady <elmankabady.a...@gmail.com>
wrote: