Encryption/Password Protection of SQLite Database

Is there a way to encrypt a SQLite database in Titanium Mobile yet?

In the app I'm building, most of the value is from the structure and content of the database. I'd like to keep people from having easy access to it. I realize no encryption or password protection is 100% secure from a determined person, but encryption (something like SQLCipher) would help deter those who aren't hell-bent on cracking it.

I've heard vague references here and there about the possibility of adding this functionality in somewhere in the bowels of the Titanium sdk, but I can't seem to find any advice or starting points. Any ideas?

2 Answers

Accepted Answer
Mike, AFAIK support for this has only been mentioned on an outdated roadmap but I can't find references to it actually being scheduled for a near term implementation. So in terms of a starting point, my advice is:
- Learn about coding ios and android extensions
- Clone the titanium mobile database class as a starting point
- Link in a copy of the sqlite db engine which supports encryption
— answered February 3rd 2011 by Doug Handy
permalink

3 Comments
- Just did a web search on SQLCipher, and you have the right idea. In fact, you may not need to tweak the Ti.Database source code much beyond the headers and include files, then add the proper frameworks etc as described in the module coding guides I linked. I'm out of time right now, so I'll leave the rest as an exercise for the reader. :)
  
  — commented February 3rd 2011 by Doug Handy
- Doug: Thanks! This looks like exactly what I need to do, but I'm having trouble understanding what titanium's "database class" is actually comprised on. I can see a bunch of .m and .h files in the Classes subdir, but I can't tell for sure what I need to base a new extension on. Any thoughts?
  
  — commented February 3rd 2011 by Mike Lester
- I've not done a module based on the database class (yet, but you are piquing my interest…). Based on a casual glance at the iphone source, it looks like you would want to clone the four files beginning TiDatabase…, plus everything in the PlausibleDatabase folder.
  
  When you clone them, give them new names, say SqlCipher…. instead of TiDatabase… or whatever. The reason you want to do that is to keep your module upgrade safe when new SDKs are released. If you modify TiDatabase… directly, you would need to merge your changes each time you installed a new SDK. By making your own module with a different name, you can more easily to things like test the continuous builds. You'd still want to periodically do a source compare/merge with the new database class to pick up on any fixes or features they added. But if your class worked fine for your purposes, you'd be upgrade safe.
  
  Giving complete instructions for creating a new class derived from an existing titanium class is beyond the scope of the Q&A facility. But hopefully I am giving you a direction to follow so you can hit the ground running.
  
  — commented February 4th 2011 by Doug Handy
2 Votes
Mike

Your best bet is to use a password salt, which you can learn about here and here. Both of these resources apply the technique in the context of PHP, but they also explain the theory behind it. It's a general approach, so you should be able to adapt it easily.

It looks like someone has used password salts for a javascript application here, but I cannot say whether they have done a good job (it was just the first salt-related javascript tutorial that google returned). ;)

In case none of the above articles mention it, you can also randomize the salt for each username/password. Store this unique salt either in the same database table row as the username or, possibly even better, store it in a secondary table and link them with a foreign key. It's up to you and your requirements.

Be aware that these techiques can be easily brute forced, especially as they are stored locally to the user (the database could simply be transferred to a more powerful machine and hacked/processed in a fraction of the time).

If security is important to you, put the authentication mechanism on a remote server and programme your app to send its password to it over SSL (https).

Hope this helps
— answered February 3rd 2011 by Paul Dowsett
permalink

5 Comments
- Btw, you could use md5HexDigest() from Ti.Utils to create the hash.
  
  You will notice that base64encode() is also available, but this can be easily reversed with base64decode().
  
  — commented February 3rd 2011 by Paul Dowsett
- Paul, md5 isn't an option here because he is not looking to encrypt the entire sqlite db. So it must be reversible, plus can't be just a hash type value. Encrypted SQL databases are mentioned on the appcelerator roadmap but that link is dated (talks about goals for July 2010) and I can't find any tickets in lighthouse as even a pending/future feature.
  
  There are versions of the sqlite engine which support encryption, but I think to implement it now would require cloning the Ti.Database module, linking in your own copy of the encrypted sqlite db engine, then using that module instead of the stock database class. Obviously, this would need to be done for both iphone and android separately if you needed to support both platforms.
  
  — commented February 3rd 2011 by Doug Handy
- Oops, meant to say he IS looking to encrypt the entire db… mea culpa … need to learn to proof read!
  
  — commented February 3rd 2011 by Doug Handy
- Ah, thanks for setting me straight, Doug :)
  
  — commented February 3rd 2011 by Paul Dowsett
- I am also very interested in an implementation of SQLCipher for iOS and Android. I would pay good money for that module. It seems that we could still try to do some obfuscation. Although I have never done it and don't know how to do it. Any tips?
  
  — commented November 13th 2011 by Leonardo Amigoni
0 Votes

Titanium Community Questions & Answer Archive

We felt that 6+ years of knowledge should not die so this is the Titanium Community Questions & Answer Archive

Encryption/Password Protection of SQLite Database

2 Answers

Accepted Answer