Welcome to this serie of articles about Android Security and how you can improve tremendously the protection of your users’ privacy, by implementing 3 things that provide a great effort/safety ratio.
Today we are going to look at protecting the Room Database. In deep Room database is handle by SQLite and the file is saved without encryption, which can expose your users’ data, for instance on a rooted device.
Prerequisites
minimum SDK : 16 (Android 4.1 JellyBean)
Add Room and SQLCipher into your gradle build file.
implementation "androidx.room:room-runtime:$room_version"
kapt "androidx.room:room-compiler:$room_version"
// optional - Kotlin Extensions and Coroutines support for Room
implementation "androidx.room:room-ktx:$room_version"
implementation 'net.zetetic:android-database-sqlcipher:$sqlcipher_version@aar'
How SQLCipher works
SQLCipher add an encryption layer to SQLite. The encryption is pretty strong, using AES-256, a standard in the industry.
The developer will have to provide a Master Key that will be used to encrypt the data. It is the developer responsibility to protect and secure the Master Key. (could use for instance userID + salt + hash)