Android sqlite security网页收藏

1. Sqlite database security

http://stackoverflow.com/questions/3140230/sqlite-database-security

encrypt the data,SQLCipher for Android,send sensitive data back to the server,

If the user roots their phone, they can basically do what they want.

2.How secure are SQLite and SharedPreferences files on Android?

http://stackoverflow.com/questions/3608883/how-secure-are-sqlite-and-sharedpreferences-files-on-android

Is it possible for someone to grab them in any way?

That depends on the someone. As Mr. Burov indicates, users of rooted phones can get at whatever they want. Ordinary users and other applications can't, by default.

It's the not normally accessible part giving me additional grey hair :)

By default, files are secure. You can make them world-readable or world-writable if you choose.

Wouldn't it be possible to decompile apk file and find encryption key as well in that case?

That depends on who you are defending against. If you are defending against other apps, have the user supply the encryption key. If you are defending against the user, you're screwed, just as all implementations of DRM are screwed.

3.Encrypt Your Sensitive Data

http://www.androidsecurity.guru/category/sqlite/

SQLCipher for databases,IOCipher (based on SQLCipher) for files

4.Security Tips

http://developer.android.com/training/articles/security-tips.html

The most common problems are buffer overflows, use after free, and off-by-one errors. Android provides a number of technologies like ASLR andDEP that reduce the exploitability of these errors, but they do not solve the underlying problem.

Dynamic, string based languages such as JavaScript and SQL are also subject to input validation problems due to escape characters andscript injection.

If you are using data within queries that are submitted to an SQL database or a content provider, SQL injection may be an issue. The best defense is to use parameterized queries, as is discussed in the above section aboutcontent providers. Limiting permissions to read-only or write-only can also reduce the potential for harm related to SQL injection.

5.How to escape unsupported character in SQLite on Android?

38 down vote accepted

You can utilize the commons-lang utility or you can use a regexp to handle it.

If you're building dynamic SQL, what I would suggest is trying to use a prepared statement which would eliminate the need for escaping single quotes.

Using just a dynamic SQL built using string concatenation:

String value = "one's self";
StringBuilder query= new StringBuilder();
query.append("insert into tname(foo) values (").append(value).append(")");
... execute call with query.toString() ...

Change that to

String value = "one's self";
value= DatabaseUtils.sqlEscapeString(value);
StringBuilder query= new StringBuilder();
query.append("insert into tname(foo) values (").append(value).append(")");
... execute call with query.toString() ...

Ideally, use a prepared statement

String value = "one's self";
StringBuilder query= StringBuilder();
query.append("insert into tname(foo) values (?)");
SQLiteStatement stmt= db.compileStatement(query.toString());
stmt.bindString(1, value);
long rowId= stmt.executeInsert();
// do logic check for > -1 on success

This way you don't run into "SQL injection attacks".

Refer to http://developer.android.com/reference/android/database/sqlite/SQLiteStatement.html for more information.

EDIT I did a little more digging, you can use DatabaseUtils.sqlEscapeString(String) to escape the content of a string so that it is valid for a complete SQL statement with no prepares.

6.Queries with prepared statements in Android?

http://developer.android.com/reference/android/database/sqlite/SQLiteStatement.html#execute()

29 down vote accepted

a prepared statement allows you to do two things

  • speed up the performance since the database does not need to parse the statement each time
  • bind & escape arguments in the statement so you are save against injection attacks


评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值