How to protect my encryption key in Android?

Asked 7/3, 2018 at 6:33 Answered 23/4, 2018 at 17:39

Solved android public-key-encryption sqlcipher-android

I have implemented SQLCipher in my Android application to make it's database secure. SQLCipher needs a key to encrypt database file. The problem I am facing is key protection, if my application is used on a rooted device or is reverse engineered then my key will be exposed and database can be decrypted.

Please note that my application doesn't ask for password every time user opens it and thus user entered password can't be used as the key. I want to implement behavior like facebook, whatsapp applications, which encrypts data using private-key/key without asking any password and keeps the users logged in all the time. Where and how these applications store their key?

Please suggest a solution/algorithm that will protect the key.Also, does Android OS provides any such functionality for data protection/management?

Conde answered 7/3, 2018 at 6:33 Comment(1)

An add-on to Talha's solution: You can use EncryptedSharedPreferences from the Jetpack library. – Decameter 8/9, 2021 at 20:50

You can use Andriod Keystore to encrypt your SQLCipher password.

I had the same issue while ago, where SQLCipher was used to secure data, but password itself was not. This allowed a security flaw where a simple decompilation would reveal the password as it was in the form of string constant.

My solution was:

Generate a random number when app starts at first. (You can change this behaviour for whatever suits you)
Encrypt this number using Android Keystore.
The original form of the number is gone once its encrypted.
Save this in Prefs.
Now, whenever SQLCipher needs password, it will decrypt it and use it.
Since Android Keystore is providing keys at runtime, and keys are strictly app specific, it will be hard to break this database.
Although everything can be broken but this approach will make it a lot harder for the attacker to retrieve data from DB, or DB password.

Here is a sample project I made which also has a SQLCipher use case same as yours.

Encryption Helper for Encrypting Passwords

Use case for SQLCipher

Note that the term you are using as encryption key is used as password/number for DB in above discussion.

Plaided answered 7/3, 2018 at 6:41 Comment(6)

What certificate your Android key store was using when you encrypted the number using AndroidKeystore? – Conde 8/3, 2018 at 12:56

Keystore must have its default certificate since I did not specified it in the start of the following file, you can check this source code which has declarations of Certificate Authority and Algorithms used etc. – Plaided 8/3, 2018 at 13:17

have a look at this: How java keytool works – Plaided 9/3, 2018 at 6:40

Your use case link is broken. – Vanwinkle 25/10, 2018 at 15:14

Updated the link* – Plaided 1/11, 2018 at 7:9

Nicely explained – Whispering 28/11, 2022 at 8:46

-1

Personally, I use substring to select sequences or unique characters from String values, then I concatenate it to get my key, it's pretty barbaric but I do not have found other effective solution.

Housefather answered 23/4, 2018 at 17:39 Comment(0)

Recommended topics

Hot tags