Android: Room: no encryption and security?

Asked 15/2, 2018 at 4:4 Answered 26/6, 2020 at 6:52

I am using OrmLite over SQLite with SQLCipher to encrypt a database on Android. Is there a way to cipher a Room database?

Mockery answered 15/2, 2018 at 4:4 Comment(1)

see android.arch.persistence.db.SupportSQLiteOpenHelper – Olly 15/2, 2018 at 5:27

Room by default store data in the app's internal storage which any root user can access.

if you need some security you need to use encryption lib like this cwac-saferoom.

Equiponderate answered 15/2, 2018 at 4:8 Comment(10)

sounds like a crutch, I can't believe Google didn't thought about this question – Mockery 15/2, 2018 at 4:17

room engineers optimized for the general use case. added encryption would certainly increase the lib size and affected the performance. luckily someone made easy to use lib for that. – Equiponderate 15/2, 2018 at 4:20

It's not about the lib size. It might be separated dependency. – Mockery 15/2, 2018 at 4:21

@android51130: "sounds like a crutch" -- they specifically designed Room to integrate with its database using the support database API. The idea was that other parties could provide their own implementations of that API. I am doing so right now via CWAC-SafeRoom, to provide a support database API implementation using SQLCipher for Android. And I am working with Zetetic to move this support database API implementation directly into SQLCipher for Android. – Tomahawk 15/2, 2018 at 11:39

@Tomahawk In cwac-saferoom, it is said that implementation is for experimentation and can not be used in production. Can you provide details about approx. till when it will be production ready? – Granite 5/7, 2018 at 12:32

@silwar: I have no idea. I will be less nervous about it after Zetetic ships the next major version of SQLCipher for Android. That should contain the APIs that I need to complete the SupportSQLiteDatabase implementation. Right now, a bunch of stuff is stubbed out, because the current SQLCipher for Android does not support it. It happens that the stubbed out stuff represents things that Room does not use presently, which is why SafeRoom is holding up as well as it is. However, I have no idea when Zetetic will ship that update. – Tomahawk 5/7, 2018 at 12:58

@Tomahawk sorry you have to answer this query redundantly today. I hope Zetetic will ship their next version with changes you are expecting for SafeRoom and it will be win-win situation for you and for us as well. – Granite 5/7, 2018 at 13:26

@Tomahawk sorry for bothering you. However, has Zetetic shipped that update? Any idea when saferoom will be stable? Thank you for your work! – Lucrative 4/1, 2019 at 17:11

@qbait: I have no real objective measure for "stable". If you mean 1.0.0, I am at 1.0.0-alpha3 now, and unless somebody finds a flaw, 1.0.0 will be released by the end of the month. – Tomahawk 4/1, 2019 at 22:9

If there is encryption people will use it and think the keys that were stored on the handset are secret from the user and do a flawed design. The use cases for when the encryption matters are fairly limited and rely on say the user being the only one who knows the key. The database itself is private from other apps on the handset and if other actors can access it via root then they can likely access the keys as well. – Pippin 8/11, 2023 at 7:12

SQLCipher for Android now directly supports Room. You can find the documentation here

Consequently, @CommonsWare will not be actively developing cwac-saferoom any longer and recommends using SQLCipher's support

Pepsin answered 14/1, 2020 at 16:18 Comment(2)

For now I'm using Realm with out-of-the-box encrypting and easiest query building (as for me) with no-memory allocation for objects(can lazily load to pagedList directly from the disk storage), but anyway, this is really cool, thanks for info! – Mockery 14/1, 2020 at 16:26

SQLCipher library has issue on some devices running android 5 (like oppo) :( – Reglet 20/4, 2020 at 2:45

Android Room DB explicitly doesn't support encryption. A typical SQLite database in unencrypted. You can use SQLCipher for Android with Room or other consumers of the androidx.sqlite API to Secure Your Data stored in sqlite DB. QLCipher has a SupportFactory class in the net.sqlcipher.database package that can be used to configure Room to use SQLCipher for Android. See the hexdumps of a standard SQLite db and one implementing SQLCipher.

~ sjlombardo$ hexdump -C sqlite.db
00000000 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 |SQLite format 3.|
…
000003c0 65 74 32 74 32 03 43 52 45 41 54 45 20 54 41 42 |et2t2.CREATE TAB|
000003d0 4c 45 20 74 32 28 61 2c 62 29 24 01 06 17 11 11 |LE t2(a,b)$…..|
…
000007e0 20 74 68 65 20 73 68 6f 77 15 01 03 01 2f 01 6f | the show…./.o|
000007f0 6e 65 20 66 6f 72 20 74 68 65 20 6d 6f 6e 65 79 |ne for the money|

~ $ sqlite3 sqlcipher.db
sqlite> PRAGMA KEY=’test123′;
sqlite> CREATE TABLE t1(a,b);
sqlite> INSERT INTO t1(a,b) VALUES (‘one for the money’, ‘two for the show’);
sqlite> .quit

~ $ hexdump -C sqlcipher.db
00000000 84 d1 36 18 eb b5 82 90 c4 70 0d ee 43 cb 61 87 |.?6.?..?p.?C?a.|
00000010 91 42 3c cd 55 24 ab c6 c4 1d c6 67 b4 e3 96 bb |.B?..?|
00000bf0 8e 99 ee 28 23 43 ab a4 97 cd 63 42 8a 8e 7c c6 |..?(#C??.?cB..|?|

~ $ sqlite3 sqlcipher.db
sqlite> SELECT * FROM t1;
Error: file is encrypted or is not a database

https://github.com/sqlcipher/android-database-sqlcipher

Barbiturism answered 26/6, 2020 at 6:52 Comment(1)

Would it be possible for you add some more information or clarity to this answer? – Drawbar 17/6, 2021 at 8:57

Recommended topics

Hot tags