1. Sqlite database security
http://stackoverflow.com/questions/3140230/sqlite-database-security
encrypt the data,SQLCipher for Android,send sensitive data back to the server,
If the user roots their phone, they can basically do what they want.
2.How secure are SQLite and SharedPreferences files on Android?
http://stackoverflow.com/questions/3608883/how-secure-are-sqlite-and-sharedpreferences-files-on-android
Is it possible for someone to grab them in any way?
That depends on the someone. As Mr. Burov indicates, users of rooted phones can get at whatever they want. Ordinary users and other applications can't, by default.
It's the not normally accessible part giving me additional grey hair :)
By default, files are secure. You can make them world-readable or world-writable if you choose.
Wouldn't it be possible to decompile apk file and find encryption key as well in that case?
That depends on who you are defending against. If you are defending against other apps, have the user supply the encryption key. If you are defending against the user, you're screwed, just as all implementations of DRM are screwed.
3.Encrypt Your Sensitive Data
http://www.androidsecurity.guru/category/sqlite/
SQLCipher for databases,IOCipher (based on SQLCipher) for files
4.Security Tips
http://developer.android.com/training/articles/security-tips.html
The most common problems are buffer overflows, use after free, and off-by-one errors. Android provides a number of technologies like ASLR andDEP that reduce the exploitability of these errors, but they do not solve the underlying problem.
Dynamic, string based languages such as JavaScript and SQL are also subject to input validation problems due to escape characters andscript injection.
If you are using data within queries that are submitted to an SQL database or a content provider, SQL injection may be an issue. The best defense is to use parameterized queries, as is discussed in the above section aboutcontent providers. Limiting permissions to read-only or write-only can also reduce the potential for harm related to SQL injection.
5.How to escape unsupported character in SQLite on Android?
|
You can utilize the commons-lang utility or you can use a regexp to handle it.
If you're building dynamic SQL, what I would suggest is trying to use a prepared statement which would eliminate the need for escaping single quotes.
Using just a dynamic SQL built using string concatenation:
String value = "one's self";
StringBuilder query= new StringBuilder();
query.append("insert into tname(foo) values (").append(value).append(")");
... execute call with query.toString() ...
Change that to
String value = "one's self";
value= DatabaseUtils.sqlEscapeString(value);
StringBuilder query= new StringBuilder();
query.append("insert into tname(foo) values (").append(value).append(")");
... execute call with query.toString() ...
Ideally, use a prepared statement
String value = "one's self";
StringBuilder query= StringBuilder();
query.append("insert into tname(foo) values (?)");
SQLiteStatement stmt= db.compileStatement(query.toString());
stmt.bindString(1, value);
long rowId= stmt.executeInsert();
// do logic check for > -1 on success
This way you don't run into "SQL injection attacks".
Refer to http://developer.android.com/reference/android/database/sqlite/SQLiteStatement.html for more information.
EDIT I did a little more digging, you can use DatabaseUtils.sqlEscapeString(String) to escape the content of a string so that it is valid for a complete SQL statement with no prepares.
|
6.Queries with prepared statements in Android?
|
a prepared statement allows you to do two things
- speed up the performance since the database does not need to parse the statement each time
- bind & escape arguments in the statement so you are save against injection attacks
|