We’ve recently updated our Android/Java application away from a SQLite DB to utilize SQLCipher, however currently our approach is not acceptable from a security stand-point as we are storing the SQLCipher key within the app/on-disk.
We believe a much more suitable solution would be to store an encrypted version of the SQLCipher key on-disk but can only be decrypted with a user-supplied passphrase that is stored in-memory only and linked to the application login activity.
This way, if the app process dies or the phone reboots, it will be impossible for the app to decrypt the SQLcipher database without the user-supplied password.
There are some historic projects that achieved this such as: GitHub - guardianproject/cacheword: a password caching and management service for Android however I’m concerned there may be a more efficient way to do this since it’s been so long since that project has been updated.
If anyone has done something similar please reach out we are looking to pay generously for this help.