views:

624

answers:

2

Many of my users have requested a password protection for various data elements in my database. Unfortunately, one of my existing features is backing up the database to a public location (SD Card) for data redundancy, so my database isn't secure.

So my question is two-fold.

  1. How can I encrypt or secure a database on android?

  2. How can I store user created passwords on the device in a secure, inaccessible way.

A: 

If you store data in via the preference store this data is only accessible for your application, if the android system is valid (not rooted, etc). Every app will get a own user for access on the file system and therefor the underlying linux system will prevent the other apps from reading these data stores.

I haven't work with the preference manager yet, maybe you will find an answer on how to use it in the documentation.

If you need the passwort to loggin in to an external web app and can't simply store a hash of the password there is a special mechanism used for example for the google authentications. You log in to the web app with username password and then the web app sends a security token to your device. This token can be saved and is valid for logging in for two weeks from this device. This can only work if you control some parts of the web app you are working with.

Janusz
The preference store is a simple key/value dictionary, not a suitable backing for a database. Besides, the database files created by SQLLiteOpenHelper benefit from the same protection you described.
Segfault
if you store the passwords in the preference store they are not stored in the db and the db can be written to the sd card without security concerns
Janusz
I still need to secure the database even if the passwords aren't in there. Some of the data in the database will be specifically password protected by those passwords, so even if they are stored somewhere else, the data they are protecting still needs to be protected.
CodeFusionMobile
+1  A: 

If you are using API version 5 or higher, you could integrate with the android.accounts.AccountManager.

Jared314
I'm on API 3. I could upgrade, but would lose too many users for a feature not everyone would use.
CodeFusionMobile