I have a database containing private information that must only be accessible to my application. I added my database file in assets folder which gets copied over to applications database directory on first time the app runs but “assets” directory and “data” directory(on rooted devices) can be accessed by any other application So I decided to encrypt the database. Android default SQLite Database doesn’t provide encryption of the data so I decided to use SQLCipher for android http://sqlcipher.net/sqlcipher-for-android/.
Now I have successfully encrypted the database and I can access it using the specific password. But problem remains… Where should I store this password? so that it can only be accessible to my application.
- Can’t hardcode it as it will be accessible after decompiling it even if it is obfuscated.
- Can’t store it in the file system either (assets/raw)
- Can’t ask the user to enter it as the user could be a hacker
It is standalone app with no server interaction at all
Can't ask the user to enter it as the user could be a hackerThen you have no way to securely store it. For the same reasons you’ve already identified, specifically that your code can be decompiled, any place you store it that is accessible can be figured out through decompilation and hence retrieved by any code with the right access.Something the user provides is stored wherever the user stores it — presumably in his or her head. This is not something software can access, which makes it ideal for reducing the risk of a malware attack. If the entered password is valid, you have no way to know if the user is authorized or not, however you can define policy such as a minimum key length, a maximum number of entry attempts (before introducing some delay or other lockout), etc.