Database protection (encryption of the database, content, etc.)?

N

nicolausYes2013-02-23 15:12:57

Android

nicolausYes, 2013-02-23 15:12:57

I have a fairly popular Android app with an offline story database. The database is not protected in any way now, the stories there are in the usual UTF-8.
The stories are put into the database using a small C# program.
The application is distributed as free, there is advertising, but only on the page with a list of stories, there are no ads on the reading page itself.
1. However, some people prefer to rip out the base and read stories through other means.
2. In addition, I began to transfer the application under IOS and I'm afraid that no one would do it before me, having stolen my database.
In anticipation of the release of the new version, I want to protect the base.
How do you recommend doing this? Because I put the content in the database, can I encrypt it with some kind of fast algorithm, and decrypt it in the application? But against especially curious it will not help. Nevertheless, information about such a method will be useful (algorithm selection, etc.).
What are the effective ways to protect the base?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

M

MikhailEdoshin, 2013-02-24
@MikhailEdoshin

There sqliteare encryption tools, not in the usual distribution, however, but there are, and some are even free, like sqlcipher . (There, the author asks for money for binaries, and gives the code like this, but it’s quite possible to assemble it yourself, just tinker a little.)

D

deadkrolik, 2013-02-23
@deadkrolik

It seems to me that it’s impossible to protect right here at all, it’s in your power to complicate everything greatly. A tough variant of complication came to my mind, which, by the way, can generally scare away users:
There is no base in the application itself. When installed on each client, some kind of client ID is generated, more or less unique (or it is generated on the server, it doesn’t matter). The program at the first start requests a database from the server and reports its ID. The server records the correspondence: client-ID - private_key - public_key. Using the public key, the server encrypts the database and gives it to the client. And then the program climbs onto the server every time it is launched and, by its ID, receives a private key that is stored in memory while it is running and with which you can decrypt the database.
But, you understand, this requires the Internet at startup. Or, if the android allows, some kind of shared storage in memory where you can put your data while the program is unloaded from memory and take them from there. After all, phones are rarely turned off and such a thing can live without the Internet for a long time. Well, drive everything over https, so that it is more difficult to recognize the scheme.

A

asm0dey, 2013-02-23
@asm0dey

It seems to me the most trivial way is to stupidly serialize Java objects into a file.
If you need more protection, then you can do this:
1) serialize to a file (binary)
2) encrypt the file using, for example, AES, into another file
3) delete the original file.
When the application starts, it decrypts the encrypted file, then deserializes it. Anything can be used as an AES key, such as a MAC address or whatever you have access to, as long as it is unique for the device.
And of course, encrypt the application with a proguard, so that it would be more difficult to pull out this logic.