简体繁体 English

用密码保护SQLite DB

[英]Protect SQLite DB with password

原文 2014-01-18 12:59:09 8 2 android/ database/ sqlite/ encryption/ passwords

I am working on an android project that I like to prevent users to get to content of my app database. 我正在研究一个Android项目，我希望该项目可以防止用户访问我的应用程序数据库的内容。

There are 3 ways I think, but I don't know witch one is the best and don't have any idea about how they should works. 我认为有3种方法，但我不知道哪一种是最好的，也不知道如何工作。

My problem is I don't know which way is the best and how it works. 我的问题是我不知道哪种方法是最好的，以及它是如何工作的。

encrypt all text and data to DB and decrypt when I want to use it! 将所有文本和数据加密到数据库，并在我想使用时解密！
encrypt whole Database and decrypt when app needs it. 加密整个数据库，并在应用需要时解密。
uses 3rd party Libraries like SQLCipher. 使用像SQLCipher这样的第三方库。

2 个解决方案

I am working on an android project that I like to prevent users to get to content of my app database 我正在做一个我希望防止用户访问我的应用数据库内容的android项目

If it is on the user's device, it is the user's database, not yours. 如果它在用户的设备上，则它是用户的数据库，而不是您的数据库。 It would only be your database if it is on your hardware. 如果它在您的硬件上，则只会是您的数据库。

My problem is I don't know which way is the best and how it works. 我的问题是我不知道哪种方法是最好的，以及它是如何工作的。

All are ineffective for trying to prevent the user from accessing the user's data. 对于试图阻止用户访问用户的数据，所有方法均无效。

Your database should be on internal storage, the default location for SQLite databases. 您的数据库应位于内部存储中，这是SQLite数据库的默认位置。 Most users cannot access internal storage to get at the database. 大多数用户无法访问内部存储来访问数据库。 The only ones who can are the ones that root their devices. 唯一可以植根其设备的人。 Anyone with the skills and interest to both root their device and try to get at the database in your app will have the skills and interest to either: 任何具有技能和兴趣的人都可以扎根设备并尝试获取应用程序中的数据库，那么他们将具有以下技能和兴趣：

Reverse-engineer your app to find your encryption algorithm and key, or 对您的应用程序进行反向工程以找到您的加密算法和密钥，或者
Upload the database somewhere and convince somebody else to reverse-engineer your app to find your encryption algorithm and key 将数据库上传到某处，并说服其他人对您的应用程序进行反向工程以找到您的加密算法和密钥

If you do not want the user to have access to the database, do not put it on their device . 如果您不希望用户访问数据库， 请不要将其放在他们的设备上 。 Access it via Web services from a server of yours. 通过Web服务从您的服务器访问它。

Tools like SQLCipher for Android are for defending the user's data against attacks. 诸如适用于Android的SQLCipher之类的工具可用于保护用户数据免受攻击。 They are not effective as a DRM solution. 它们不能作为DRM解决方案有效。

If you're going to encrypt the data at all, for goodness' sake, use a tested existing library instead of doing it badly yourself! 如果您要完全加密数据，那么，请使用经过测试的现有库，而不要自己做坏事！ For example, the author of SQLite itself sells an encryption extension (it's used in things like medical information systems), and there are a few other possible solutions too. 例如，SQLite的作者本身出售了加密扩展名（用于医疗信息系统等），还有其他一些可能的解决方案。 (I googled for sqlite encryption and I'm sure you can too!) （我在Google上搜索了sqlite encryption而且我相信你也可以！）

However, be aware that holding the both encrypted data and the key to decrypt the data on the same non-trusted device is always likely to be troublesome; 但是，请注意，将加密数据和解密数据的密钥同时保存在同一不受信任的设备上总是很麻烦； it's the DRM problem (ie, you've put everything the user really needs to break things on the user's kit, and the user is relatively hostile). 这是DRM问题（即，您已经将用户真正需要的所有东西都放到了用户工具包上，并且用户相对敌对）。 You should think about your application architecture; 您应该考虑您的应用程序体系结构； Android devices tend to be fairly well connected, so you can see if keeping the DB on a server somewhere that you control and only feeding little bits to the app (which it might cache, or not) is suitable instead. Android设备往往连接良好，因此您可以查看是否适合将DB保留在您控制的服务器上，并且只向应用程序馈送少量数据（它可能缓存或不缓存）。