Is my SQLite Database is secured after using SQLCipher?

Question

I have replaced SQLiteOpenHelper with import net.sqlcipher.database.SQLiteOpenHelper

For inserting datas into Database and getting data from it, I have used
SQLiteDatabase db = this.getWritableDatabase("mypassword");

instead of below

SQLiteDatabase db = this.getWritableDatabase();

Below is my oncreate and onUpgrade,

@Override
    public void onCreate(net.sqlcipher.database.SQLiteDatabase db) {

        db.execSQL(ARecords.CREATE_TABLE);
        db.execSQL(BRecords.CREATE_TABLE);
    }

    @Override
    public void onUpgrade(net.sqlcipher.database.SQLiteDatabase db, int oldVersion, int newVersion) {
// Drop older table if existed
        db.execSQL("DROP TABLE IF EXISTS " + ARecords.TABLE_NAME);
        db.execSQL("DROP TABLE IF EXISTS " + BRecords.TABLE_NAME);
        //Create tables again
        onCreate(db);

    }

In MainActivity,

SQLiteDatabase.loadLibs(this);

below is my dependencies

implementation 'net.zetetic:android-database-sqlcipher:4.4.3'
    implementation 'androidx.sqlite:sqlite:2.1.0'

I am using SQLCipher for preventing my application from attacker gets access to the data stored in the /data/data/com.applicationname/ directory

Rooted devices can have access to the data/data/com.applicationname/ directory right.Then using SQLCipher wont allow users to the directory ?

1. Now I want to make sure whether my database is now secured. How to know that?
2. I am using hardcoded passwords inside getWritableDatabase. Is that good way to do? Or it may be hacked?

Also I have seen below tutorial for Encryption. So now I am confused. Using SQLCipher itself good or need to do like below tutorial

https://www.raywenderlich.com/778533-encryption-tutorial-for-android-getting-started%20tutorial#toc-anchor-001

Thanks in Advance.

Answer 1

I assume that you're bundling your database inside assets or something like that, and in this case, it doesn't matter how much you try, there's always an attacker who can attack you (but in most cases they won't because there's nothing in it for them) But a password might slow down the attacker (but if it's going to be bundled, you also have to put password inside your code which means no security at all)

Answer 2

Using SQLCipher doesn't guaranty the security of your DB. You need to take consideration of adding an extra layer for your DB.

Hardcoding a password isn't safe. You can use salt and even make the strength a little bit harder by combining the hardware-specific values like serial number, IMEI, and others.

This can make your database more secure. There is no 100% secured, there is always a flaw.

Answer 3

Password hardcoding not secure

If you hardcode your password into the code, then it's definitely not secure. If an attacker gets your APK and knows how to decompile it, he can easily get the DB password, and it doesn't matter how obfuscated the code is.

What do then

One way is to ask a user to fill in a password (via some dialog), before each time a DB connection is established. Then, this password can be used for opening a connection. Obviously, it must be strong enough and not stored anywhere afterwards. It's also a good idea to offer changing a password for your DB because users to tend to use the same password for several services, if their password gets compromised, they need to be able to change it.

Answer 4

You're almost ok, you only need an additional step in order to achieve a secure DB: use runtime/random generated passwords

SQLCipher will encrypt your database file. This means that anyone on rooted devices CAN access to any directory of the device, but the DB file will be encrypted (source: https://www.zetetic.net/sqlcipher/about/). SQLCipher is just a library, it doesn't affect the filesystem so it can't prevent any directory access.

As other users were saying: Hardcoded passwords are not secure
Any attacker could easily read them and decrypt anything. So what you should do instead is to generate a random password at the very first application launch and use it to encrypt/decrypt your db. You can generate a UUID, a random number, whathever you prefer.
Never rely on device-related identifiers(IMEI, DeviceId etc.): anyone else could simply reverse engineer your app and discover the password!

Last step is: Where to store my generated password in a secure way, so nobody can read it? In a secure place like this: https://developer.android.com/training/articles/keystore

Answer 5

I am using hardcoded passwords inside getWritableDatabase.

For which purpose? If you store them there to verify with user-entered password and allow some action if they match, that is bad way

But why don't you store SHA-256 of original entered password? When person will enter password, you will check if SHA-256 of entered password matches stored to db SHA-256.

The coolest thing is that noone can get original String from SHA-256. It is safely.

To create SHA-256 from String check this link