I don't believe the sqlite in Android supports database encryption; unless that's wrong, your main option is to encrypt the data you put in your database. That's less than idea though, since it makes it difficult (or impossible) to perform queries that have typical clauses. Another option, probably not very attractive, is to get one of the several sqlite encryption source packages and roll your own sqlite engine using the NDK -- this would remove Android's API from you unless you recreated it on top of your native interface.
As to password recovery, something you can consider: at the time you establish the password, also establish a single use recovery password (pseudo-randomly generated). On your website, if the user answers your challenge correctly (answering their personal question, etc.), provide them the single use recovery password. In your application, if the password provided does not match correctly, see if it matches the recovery password and, if it does, simply remove the password protection (and perhaps go into the activity that allows the user to establish a new password -- this is where your single use recovery password would get generated, and provide details on it to your server). On Apr 23, 8:10 am, Kumar Bibek <[email protected]> wrote: > Well, If the phone is rooted, then anyone can peek into your DB. If > you store it in simple text, you are at the hacker's mercy. > > The password's should be stored in the DB/file after encryption. That > will give you some degree of safety. > > As per sending a mail with the password, that's a tricky one. If > possible, you can have an option of password re-generation and show it > on the device itself if you are not comfortable with sending out a > mail. It's would be very difficult for a hacker to decrypt your > security question and answer as well. But it's still doable. > > Maybe, you can use different encryption techniques for password, > security question and answer. > > Thanks and Regards, > Kumar Bibek > > On Apr 23, 1:59 am, Bryan <[email protected]> wrote: > > > > > I have been searching on google for information regarding application > > passwords and SQLite security for some time, and nothing that I have > > found has really answered my questions. > > > Here is what I am trying to figure out: > > > 1) My application is going to have an optional password activity that > > will be called when the application is first opened. My questions for > > this are a) If I store the password via android preference or SQLite > > database, how can I ensure security and privacy for the password, and > > b) how should password recovery be handled? > > > Regarding b) from above, I have thought about requiring an email > > address when the password feature is enabled, and also a password hint > > question for use when requesting password recovery. Upon successfully > > answering the hint question, the password is then emailed to the email > > address that was submitted. I am not completely confident in the > > security and privacy of the email method, especially if the email is > > sent when the user is connected to an open, public wireless network. > > > 2) My application will be using an SQLite database, which will be > > stored on the SD card if the user has one. Regardless of whether it > > is stored on the phone or the SD card, what options do I have for data > > encryption, and how does that affect the application performance? > > > Thanks in advance for time taken to answer these questions. I think > > that there may be other developers struggling with the same concerns. > > > -- > > You received this message because you are subscribed to the Google > > Groups "Android Developers" group. > > To post to this group, send email to [email protected] > > To unsubscribe from this group, send email to > > [email protected] > > For more options, visit this group > > athttp://groups.google.com/group/android-developers?hl=en > > -- > You received this message because you are subscribed to the Google > Groups "Android Developers" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group > athttp://groups.google.com/group/android-developers?hl=en -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
