How to secure SQLITE DATABASE in android?

Question

currently I am developing an android app which stores user's important data such as passwords,cards numbers,websites usernames and passwords, etc. I jsut decided to use SQLITE DB so that user's data can reside in their own mobile as well as I am planning to implement AES-256 ALGORITHM(SQLCiper) in order to provide encryption to data using a key. But My concern is how much it will work and what will happen if some one do reverse engineering or rooting?

Please Help me to get clarity on this.

Thanks in advance.

Answer 1

It won't work at all. Sure, you can encrypt the database. But where's the encryption key? Its in your app. Minor reverse engineering will get the key.

So you decide to make the key a random string and store it in secure storage. That's stronger... but then I compile a custom OS using AOSP and overwrite the secure storage functions to also log the data stored to disk. You've put up a roadblock, nothing more.

So you decide to keep the key on the server and send it down as part of an https request, only ever keeping it in memory. Now I need to do some serious reverse engineering. You'll block script kiddies, but not experiences reverse engineers.

How do you actually keep your data safe? Don't put it on the client at all. Then its perfectly safe. You now have to secure the protocol between the client and server of course. And don't give the client any data he shouldn't use- if you have info on all your users, only put the info for this user in the client side db.

Basically, you aren't going to keep data secret from an authorized user. You can at most put up a few speed bumps. Decide how secret the data actually is, who you expect as an attacker (bored high school kid? Experienced reverse engineer? Nation states?) and use that to figure out how much effort to put into it, and where the data should be stored.