I am creating an Android app in which there will be a Phone Number Verification at first time use(same as that happens in Whatsapp). When the phone number gets verified successfully, I want to store the number in such a way that it cannot be changed/altered by the user. By default data in Android(SQLlite) is stored in text format on the storage, which can be edited by the user. I want to remove this shortcoming. Should I use SQLCipher for storing it? or is there any other way to store it? or does anyone knows which technique does Whatsapp use for storing such type of sensitive information?
Asked
Active
Viewed 283 times
2 Answers
0
> data in Android is stored .. on the storage, which can be edited by the user.
Most users will never attempt (or even be aware of) such a move.
You could encounter such behavior from users with rooted devices or power users (typically developers) via abd or DDMS but frankly, in 7 years of Android development I have never encountered a 'naive' user modifying app's database.
You should, however, be prepared for hackers trying to access/modify you user's private data and the best tool I know to protect your database from such hacks is SqlCipher.
When it comes to non-database secret data storage make sure you read this before hand-coding an encryption mechanism.
Gilad Haimov
- 5,672
- 2
- 24
- 30
-
I got your answer. But the thing is that I just want to store a single 10-digit Phone Number Securely. I don't need any big database for it. What should I use to store a 10 digit integer value securely ? – its.priya.sharma Jul 13 '14 at 17:01
-
Visit this link, it has a detailed description of how to cipher secret data: http://android-developers.blogspot.co.il/2013/02/using-cryptography-to-store-credentials.html – Gilad Haimov Jul 13 '14 at 17:04
0
Quoting verbatim from the Android Security Tips article:
By default, files that you create on internal storage are accessible only to your app. This protection is implemented by Android and is sufficient for most applications.
You should generally avoid using the MODE_WORLD_WRITEABLE or MODE_WORLD_READABLE modes for IPC files because they do not provide the ability to limit data access to particular applications, nor do they provide any control on data format. If you want to share your data with other app processes, you might instead consider using a content provider, which offers read and write permissions to other apps and can make dynamic permission grants on a case-by-case basis.
To provide additional protection for sensitive data, you might choose to encrypt local files using a key that is not directly accessible to the application. For example, a key can be placed in a KeyStore and protected with a user password that is not stored on the device. While this does not protect data from a root compromise that can monitor the user inputting the password, it can provide protection for a lost device without file system encryption.
Also note that files created on external storage, such as SD Cards, are globally readable and writable. Because external storage can be removed by the user and also modified by any application, you should not store sensitive information using external storage.
Finally, this SO question (Android Secure Storage) might interest you.
