Securing SQLite and .apk

trebor74trebor74 USMember ✭✭
edited February 2018 in Xamarin.Forms

I am preparing to release my app to the Google Play Store. I would like to know what the best practice is to secure both the .apk and the embedded sqlite database. I know I can use ProGuard, but not sure if that protects the data and was wondering if it is worth considering SQL Cipher?.
Alternatives to this are encrypting the data at row level and obfuscating the code, but ideally I would like a simple solution that protects both the source code and the database.

Answers

  • ClintStLaurentClintStLaurent USUniversity ✭✭✭✭✭

    Is the data in the database encrypted? If your app is already encrypting the data being stored I would think that is a good first step without having to wrap the entire database.

  • trebor74trebor74 USMember ✭✭

    @ClintStLaurent said:
    Is the data in the database encrypted? If your app is already encrypting the data being stored I would think that is a good first step without having to wrap the entire database.

    Not yet, but we are considering this. If so we'll need to embed a token/password for decryption but obviously as this will be in the code we need to ensure the .apk is secure as well.

  • ClintStLaurentClintStLaurent USUniversity ✭✭✭✭✭

    What if the decryption token isn't even in the app? What if it is tied to the user identifier and the token is downloaded from a service when the app launches? Thus is it only memory resident so nothing on the device to hack.

  • trebor74trebor74 USMember ✭✭

    @ClintStLaurent said:
    What if the decryption token isn't even in the app? What if it is tied to the user identifier and the token is downloaded from a service when the app launches? Thus is it only memory resident so nothing on the device to hack.

    This could work. The only issue is the App isn't always connected to the internet. There will be a pin which they set first time, so possibly I could use this as part of the hash to secure the database. The only issue is the app checks first to see if a pin exists in the database, so maybe I could have a default pin, and when they change it encrypt the database using the newly specified pin?

  • ClintStLaurentClintStLaurent USUniversity ✭✭✭✭✭

    Sounds do-able. Or... When they buy the app do they receive an unlock code to take it from demo to activated modes?

  • trebor74trebor74 USMember ✭✭

    It's not going to be bought as such and they need to define their own pin. I think it could work though so will give it a go and let you know. Thanks for your help.

Sign In or Register to comment.