Geek Answers Handbook

How to protect your encryption key in Android?

I applied SQLCipher in my Android app to make it database safe. SQLCipher needs a key to encrypt the database file. The problem I ran into is key protection, if my application is used on the root device or reverse engineering, then my key will be open and the database can be decrypted.

Please note that my application does not ask for a password every time a user opens it, and therefore the user's password cannot be used as a key. I want to implement behavior like facebook, whatsapp applications that encrypt data using private-key / key without asking for a password and allow users to register all the time. Where and how do these applications store their key?

Please suggest a solution / algorithm that will protect the key. In addition, does the Android infrastructure support any such feature for data protection / management?

+7
android public-key-encryption sqlcipher-android
source share
2 answers

You can use Andriod Keystore to encrypt the SQLCipher password.

I had the same problem when SQLCipher was used to protect data, but the password itself was not. This prevented a security flaw when a simple decompilation revealed the password, as it was in the form of a string constant.

My solution was:

  • Generate a random number when the application starts first. (You can change this behavior to suit your needs)
  • Encrypt this number using Android Keystore.
  • The original form of the number disappears after its encryption.
  • Save this to Prefs.
  • Now that SQLCipher needs a password, it decrypts it and uses it.
  • Since Android Keystore provides keys at runtime, and the keys are strictly application specific, it will be difficult to partition this database.
  • Although everything can be broken, but this approach will greatly complicate for an attacker to extract data from a database or database password.

Here is an example project that I did that also has an example using SQLCipher, the same as yours.

Encryption Assistant for Password Encryption

Use case for SQLCipher

Please note that the term that you use as the encryption key is used as the password / number for the database in the discussion above.

+5
source share

You can try this document: https://developer.android.com/training/articles/keystore.html

hope this helps you

+3
source share

More articles:


All Articles