I have created an informational android app where we manually entered lots of data using our resources.It uses sqlite database.
I know it virtually impossible to protect the database 100% but I want to make it difficult so that every tom,dick or harry does not just runs a reverse engineering software in apk and get the database and create a new app or use it as a part of their app(information is found every where but our data entry effort is all wasted)
So, How can we protect our database?
I saw some SQLCipher and some other libraries.
But I found that actually the password are hard-coded in java files which can be easily reversed engineered and will be available. So,I am not understanding how it really protects rather than adding just another easy to crack layer.They will just get password from file and open that database. Plus it is increasing the application size as well.
So how does it really protect from real thief?
Am I missing something?
I just want to protect my database(even not bothered much about code for now).
Any help or suggestions?
Thank you.
SqlCipher, this will might work in your case and best security provide
Related
I have an application that use a .properties data containing password from DB, this application will be used by my client but I don't want to give him any kind of access to this properties data, not even if we look in the .jar. I thought to use zip4j but is there any another best solution for this because when I unzip it the .properties will be decompressed somewhere giving the client access to it doesn't it??
This cannot be done. Just forget about this idea and re-think your system.
You can't provide read access not providing read access at the same time.
This is a wet dream of legal depts in the media industry. They invest piles of money in solving this insolvable problem with DRM that never works, but annoys everybody.
You can make it more annoying to extract the data - using various obfuscation techniques - but that's all.
One of those ideas is to encode the passoword in C++ library and link it via JNI. Then the user cannot extract it without disassembling the binary file, but will be able to make memory dump at runtime anyway.
You can read the password from central server at runtime. You can use one-time passwords for that. Again, this is futile if the user has modest technical skills, as you can still request the server for the password using curl or some simple script.
You can use hardware access-token that will allow connection to the database (smart-card or something). This was quite popular technique in '90.
All you can do is to add some level of annoyance which will stop non-technical person. With enough money you can build some decent DRM that will stop technical-savvy people for a while, but I seriously doubt it's worth the money.
If the database access is so precious that you can't give the user access to it, yet he needs it, your design is broken.
By default Shared Preferences on Android are being able to be deleted by phone setup. Is it possible to block this ?. Basically i would like to store a Shared Preference as defined on Android documentation but not to allow to delete them by any reason. Ie Phone Setup, App update nor App uninstall. If this is not possible, which storage mechanism would you suggest to do this. I need to store is primitive data mostly.
I am making an application where I need to collect certain data from user and ensure he will have just one opportunity to provide it, otherwise she would be cheating. I agree, best option is to store the data provided on my server but that approach would not work if user turn off internet. I understand both requirements might be very difficult to meet.
It is possible to delete any data stored on the phone.
Shared preferences and files not saved to the SD card will be deleted when the app is uninstalled.
Files saved to the SD card will persists after uninstall, however, the user will have access to read, over-write, and delete these files at will.
If you need truly permanent storage the best way forward would be to store the data remotely on a server that you control.
What you're suggesting of doing sounds dangerous to me.
Bear in mind that when you're programming, you're programming within a certain environment. The operating system will restrict aspects of what you can and can't do, to keep consistency across applications, provide security etc.
If you're wanting to use shared preferences as a means of providing trials for applications, or some other registration-related issue, I don't know what the framework is on Android, but I believe there's more secure ways of doing it.
For those which are not familiar with password safe app types its simply an app that stores passwords or other sensitive data.
I haven't been ancrypting in java yet. I came up with 2 solutions after a research.
1) Using an SQLite database and somehow encrypt that (I've read that might be problematic, cause troubles with acquiring data and might require some custom libs)
2) Using serialized objects stored into encrypted files (sounds reasonable, however acquiring data won't be that comfy as from a database)
What is very important: I must have easy way for backing up data. On SD card for example. It would be easy if it comes to database. Dont know about serialized encrypted objects though...
Which one you think is better?
Definitely option 1.
You might want to consider this project (source available), it does exactly what you want using AES Encryption.
First solution is better anyway. There must be no problems if you do it right and spent some time for researching and testing!
Can`t give you direct link, but this method was used in many of my projects.
I've been thrown in at the deep end a bit here, as I never expected I would have to do something like this and I have no idea where to start; so I'm helping somebody will be able to help me (ideally by providing some java code)...
In my effort to protect my Java software from piracy I have found that it is completely impossible unless I continusely check online - so thats what I want to do. Only, the only details I know are that, my program needs to communicate with some sort of script online and verify the licence key the program is using and then report back accordingly.
However, that's all I know - I am still stuck as to what the server side actually consists of. I'm hoping that the fact I am not hosting the website myself (an using JustHost) will not stop me from being able to do what I need.
So basically, I would like some help in creating a setup that allows my prevent anyone from pirating my software while connected to the internet. I though about having something like a login system; the users licence key would act as a username and password, but to be honest I really have no idea because if I did it that way would have to manually login and logout each time they wanted to use the software.
And not to run before I can walk but what happens when the user is not connected to internet? Even worse, how do I tell if somebody has stealed an legitamate users licence key? etc.
Thanks in Advance,
Andy
PS If it helps, I plan to use PostgreSQL (or maybe MySQL) and I am not paying for a dedicated server with JustHost.com...
Once your code is on their machine they can modify to simply ignore your checks. You can make it as hard as possible but it will never be hack proof.
In general your question is identical to this one which has some good discussion.
Try to delegate part of your business logic to server side. This way some core processes can not complete unless the application license is valid. Of course, if you have some logic that can be delegated. If your application is client-only than this approach is a bad choice.
If your application will be sold for a lot of money, try implementing solution using HASP key approach (which is investment by itself) instead of server authentication I understand this is not what you asked, I am just giving another idea.
try to create security by obfuscation/encryption and you will fail if your application becomes popular, since there will always be someone who will crack it in 5 minutes :(
First of all, I'm sorry for a long explanation.
I need to develop a desktop app that will enable users to enter patients lab results for tracking diabetes treatment.
I usually code in php/mysql, but I'm not allowed to use it (my first choice was to use LAMP / XAMPP, but was told not to do so). I was told to use MS Access, as the easiest tool, but since I've never used it before, it gave me a lot of headache. Its wizards are great, but I needed to use data from several tables in my forms, and was simply unable to efficiently do so.
So, here is my question: What sort of db can I use with Java to create such an Application? As I said, I'm most comfortable with PHP/MYSQL combination, but during my studies I also used Java quite a lot. If I could find some sort of 'template' for such an application, I could probably create this easily.
I found this http://netbeans.org/kb/docs/java/gui-db.html using google. How complicated is this?
I need to create this ASAP, since I need to get this App to a team of medical staff, since I need this data to use as datasets for my MSc thesis (related to case based reasoning). I'm really behind schedule here :). And someone will probably break my neck if I don't develop it in a few days and start working on a theoretical part of my thesis.
Thank you in advance.
Okay, this one is near and dear having just been diagnosed as pre-diabetic.
What's not completely clear from your description is if you are keeping a separate database for each instance of the app, or are you sharing the data in one big remote database?
And how much data are you expecting?
If it's just for each instance, then any old database will work; the lightest weight one is actually probably sqlite3, but since you're in a hurry and used to LAMP, mysql will certainly work.
For remote data, go with mysql.
Either way around, there are plenty of ways to connect to the database, most all of them based on JDBC. It seems like you basiucally need two tables: patient, and labs. Patient will be something like <name,dob,ssan,address>, and labs something like <ssan, labtype, value, units>. SSAN would be the key and a record would be something like
123-45-6789|A1C| 6.0|pct glucolated
In that case, I'd just make the tables, have two forms with the data, and don't try for anything too fancy.
Update
Okay, from your comments, yes, either use Derby or just use text files. Do you need any particularly complicated queries? In the Old Days we would just have made something like a CSV file and read it into memory.
Oh, and look into Java Web Start for distributing the app.
You can use Java to connect to a database via JDBC. Check out this tutorial. http://download.oracle.com/javase/tutorial/jdbc/index.html. You can use mySQL as your database. You can also use embedded databases such as derby which don't require an external database application.
Here are 2 tutoriala how to build CRUD application on top of the NetBeans Platform (a Swing-based RCP):
http://platform.netbeans.org/tutorials/nbm-maven-crud.html
http://platform.netbeans.org/tutorials/nbm-crud.html