Skip to content Skip to sidebar Skip to footer
Home / Android / Database / Sqlite

Android: How Safe Is Database Packed With Application

Post a Comment
I want to know how safe it is to pack the database with the application in android. Can the database be easily accessed by the users? As the database that I have will have data whi

Solution 1:

Local databases and your apk file can be read by any rooted device easily. This tool can even decompile your resources as explained in this youtube tutorial (I never tried that myself actually).

So you would have to store your data encrypted in your database and decrypt it form your application code to be sure that noone can access it by simply getting the database form the data directory of his device.

You shouldn't put your sensitive data (like passwords etc) in the resource folder, because it can be decompiled, put it in your code.

Now some words to your JSON API. Hiding the URL is not enough, since the user can track your requests easily by a sniffer and get that anyway. You should provide a authentication mechanism to protect unauthorized access and also protect your communication by SSL. (E.g. using HTTP authentication - makes only sense when your server provides SSL.)

This are the things you should think about and decide yourself how sensitive your data actually is.

Solution 2:

As far as I understand you're going to:

  1. Pack initial DB in your APK file (say with res/asset folder)
  2. During first run explode DB file from res/asset to application data folder
  3. Then from to time fetch data into DB from website/webservice

In this case there are basically 2 vulnerabilities (stored data I mean):

  1. Initial DB image, since it's packed with APK (which is in real life just ZIP archive), so anyone can unpack and see what's packed in your DB
  2. DB file stored in application data folder (usually /data/data/MY_APPLICATION_PACKAGE/databases). This folder is accessible on rooted device, so again your data can easily be screened

The only option to be secured is to encrypt your database content. Easiest way to do it to store sensitive data in BLOBs (in form of XML of JSON) and encrypt/decrypt those BLOBs after/before actual usage of certain records.

Myself personally did it in my app - and it works well.

Solution 3:

check this links for protecting your apk file for decompile

How to make apk Secure. Protecting from Decompile

Protecting Android apk to prevent decompilation, network sniffing etc

decompiling DEX into Java sourcecode

You may like these posts

Post a Comment for "Android: How Safe Is Database Packed With Application"