Sensei Logo Sensei Hub

Recipe - Insecure Data Storage: Use SQLCipher Database (all other methods)

Description:
SQLite Databases are an insecure means of storage
Level:
warning
Language:
  • java
Tags:
  • security
  • framework specific
  • mobile
  • Android
  • SQL
  • Android security set
Documentation

Android best practices and coding guidelines recommend that SQLCipher should be preferred over SQLite databases.

SQLCipher offers a fully-encrypted database. It is very easy to implement in your application as SQLCipher offers their own implementation of the SQLite methods. A downside of SQLCipher is a slight performance decrease, as well as the need to securely store the encryption key. Thus, SQLCipher can be used if the key can be supplied by the user of the application (e.g., a pin or password), or if the key can be securely sent over the network to the application. Never store the encryption key in the application itself!

References
Recipe
id: scw:android:SQLCipher-other
version: 10
metadata:
  name: 'Insecure Data Storage: Use SQLCipher Database (all other methods)'
  shortDescription: SQLite Databases are an insecure means of storage
  level: warning
  language: java
  enabled: true
  comment: ""
  descriptionFile: descriptions/java_android_storage_encrypt_local_database_files_use_sqlcipher.html
  tags: security;framework specific;mobile;Android;SQL;Android security set
search:
  methodcall:
    name:
      matches: ^(?!openOrCreateDatabase).*$
    type: android.database.sqlite.SQLiteDatabase
scopes:
  library:
    name:
      contains: sqlcipher
availableFixes:
- name: Use SQLCipher instead of SQLite
  actions:
  - rewrite:
      to: net.sqlcipher.database.SQLiteDatabase.{{{methodName}}}({{{arguments}}})