SqlCipher - Android - password constant is visible when decompile the APK


#1

I have used SqlCipher for protect my application local database. I have stored my db password as constant like below,

private static final String dbPassword = "testing123";

After export my application as signed APK, I have decompile the APK using decompilation tool.

My password is visible in decompilation files.

My question is,

How we can store password phrase in class? which should not be visible even after the decompilation?

Based on above steps, If user able to get my password he can also get all data from local database. There is no security and no benefits by using SqlCipher.

What is the best way to store password inside the APK with hidden. Otherwise there is no use for using SQLCipher.

Kindly share your suggestion and solution.

Thanks.


#2

Hello @Prakash_Muthaian_Anu,

It is not recommended that you store the password directly within the
binary of your application, as you just observed it can be easily
decompiled and compromised.

The security requirements of an application with vary, however you
should consider whether asking your user for a password would be an
acceptable solution.

Nick Parker