Protecting local proprietary data in an app

ChrisSwainChrisSwain USMember, University ✭✭

I have a Xamarin.Forms app that uses a local SqLite database as its source for data. The data is proprietary, so I want to protect it so that if someone gets access to the database file, they would have to decrypt it to access the data.

I also want to limit the number of queries users can make against the database so that at a certain point they have to purchase the ability to use more of the data (in-app purchase).

I want to avoid making network calls as much as possible to minimize impact to the user's data plan and allow the app to work well in conditions where there is poor or no connectivity. So, I want the data stored in a local database (perhaps in SqLite).

I'm curious how different people would approach this problem to protect the data and at the same time minimize network usage.

Here is kind of what I was thinking (if it's possible):

1) Let the user download/install the app.
2) On first load, the app will upload a key based on the device id and the user's current purchase information. Then it will download a SqLite database file that has been encrypted using the uploaded key.
3) When the user reaches their limit of queries, the database file is deleted. If they purchase more data, then a new key is uploaded and a new encrypted database is downloaded to be used.

Thoughts? Is there a better way?

Posts

  • DanielLDanielL PLInsider ✭✭✭✭
  • ChrisSwainChrisSwain USMember, University ✭✭

    Not really what I'm looking for. I need a way to secure and protect queryable data like a database. That post seems more about settings data, string, and small serializable objects.

  • DanielLDanielL PLInsider ✭✭✭✭
    edited September 2015

    On first load, the app will upload a key based on the device id and the user's current purchase information.

    Yes, that's true. But you probably gonna need to store token securely. It could be useful. I don't think there're other options to store sensitive tokens, passwords on mobile platforms using .net.

    You could even try to store entire database there. You can do that with sqlite:

    • Write database to platform specific secure storage
    • Read database from secure storage (as stream or byte array)
    • Open it as ":memory" sqlite database https://www.sqlite.org/inmemorydb.html
    • It will be queryable
    • Note that database will be in device memory, so it's a potential vulnerability here.
  • ChrisSwainChrisSwain USMember, University ✭✭

    Ah, good point! Thanks @DanielL ! Hopefully someone else on the forum help provide the other pieces to the puzzle.

    This can't be an uncommon problem, can it?

Sign In or Register to comment.