Recipe Name:
Insecure Data Storage: Use SQLCipher Database (all other methods)
Description:
SQLite Databases are an insecure means of storage
Level:
warning
Language:
- java
Tags:
- security
- framework specific
- mobile
- Android
- SQL
- Android security set
Documentation
Android best practices and coding guidelines recommend that SQLCipher should be preferred over SQLite databases.
SQLCipher offers a fully-encrypted database. It is very easy to implement in your application as SQLCipher offers their own implementation of the SQLite methods. A downside of SQLCipher is a slight performance decrease, as well as the need to securely store the encryption key. Thus, SQLCipher can be used if the key can be supplied by the user of the application (e.g., a pin or password), or if the key can be securely sent over the network to the application. Never store the encryption key in the application itself!
Recipe
id: scw:android:SQLCipher-other
version: 10
metadata:
name: 'Insecure Data Storage: Use SQLCipher Database (all other methods)'
shortDescription: SQLite Databases are an insecure means of storage
level: warning
language: java
enabled: true
comment: ""
descriptionFile: descriptions/java_android_storage_encrypt_local_database_files_use_sqlcipher.html
tags: security;framework specific;mobile;Android;SQL;Android security set
search:
methodcall:
name:
matches: ^(?!openOrCreateDatabase).*$
type: android.database.sqlite.SQLiteDatabase
scopes:
library:
name:
contains: sqlcipher
availableFixes:
- name: Use SQLCipher instead of SQLite
actions:
- rewrite:
to: net.sqlcipher.database.SQLiteDatabase.{{{methodName}}}({{{arguments}}})