I understand SQLCipher has good encryption. However, if your Android App passes the SQLCipher key on SQLiteDatabase.openOrCreateDatabase call, then the attacker can see the Java code and get the key. Then he would use SQLCipher by himself using the same key (even the key is internally hashed and is not the real key, it is the only input needed here).
Is there a way to better hide the key? Say, if I could set the key from native code, then it would be harder to find the key by static analysis.
So I would call openOrCreateDatabase, get the db handler and pass it to C code through JNI. From C, I would generate a new key and then call sqlite3_key(db_handl, new_key, len);
Is this possible? How to get the db_handler from Java?