I have recently changed my app to use SQLCipher API rather than the standard android.database.sqlite.
Originally a user would type their username and password when logging into the app for the first time. The app verifies the credentials against our server. If they are correct i store the username and password in the sqllite Db on the phone. Subsequent logins are then done against the phone's DB without the need for a webcall.
i also obfuscate the apk.
The stored password is also used to get a user's rota, which has senitive client data. eg numeric code to gain entry to clients house, address etc. This is what needs securing, incase the phone is stolen, rooted or decompiled.
My question is I understand that SQLCipher encryption/decryption all happens automatically with each call to
SQLiteDatabase db = dbhelper.getWritableDatabase("12345");
12345 is just some String i have hardcoded for now. I want this to be the password that the user has for their login.
What would be the best way to do this. I need to find a way where the user's password is stored securely and is used for encryption. I don't want any password hardcoded in the app(unless this is the only way to do it).
The problem is how can i call
SQLiteDatabase db = dbhelper.getWritableDatabase("STORED PASSOWRD IN DB");
return db.query(DBHelper.TABLECARER, null, null, null, null, null, null);
when the cursor has the password in it?
Thanks
Please refer to this link: http://www.informit.com/articles/article.aspx?p=2268753&seqNum=4
Keep in mind that you should not store the key on your device with protected data