How to store the key used in SQLCipher for android
Then how is your password safe from a hacker?
It's not. Hard-coding a passphrase makes for simple demonstrations, though.
Is there any correct way where i can store the password ?
The user should supply the passphrase for the user's database via your UI. The user then stores the passphrase in the user's head, or perhaps you combine what's in the user's head with something else for lightweight two-factor authentication (e.g., MAC address of paired Bluetooth wearable).
I would like to suggest the following approach:
- The first time you create the database you have to create a random password.
- You store this password in the Keystore.
- Whenever you open the app you read the password from the keystore and use it for connecting to the database.
So how does the keystore access work? See blog entry 1 and blog entry 2 and the corresponding github repository. The solution is available for Android version 2.1 to 4.3.
Big caveats:
- The solution works only with private API access, so it might break in the future.
- A screen lock password is required to store keys and all keys are wiped if a user removes his lock screen password.
What is being overlooked is the fact that the demonstration given by SQLCipher is purely for demonstration . It is up to the imagination of the developer to overcome the obvious. Slightly less obvious is that you would NOT store the key in a private local variable, since performing a strings search against your class files could reveal your key, reducing the dictionary necessary in a successful brute force attack. Open your classes.dex in a hex editor and try it.
It isn't the .java files you should be concerned with, as only your developers should be in there. It's the .class files. The next level of effort is some effort of obfuscation, but that really only limits the impatient.
Take a look at this discussionhttps://groups.google.com/forum/#!topic/sqlcipher/OkE0rUwXEb8