Hi,
I'm looking at encrypting the SQLite database for an app.
My research has pointed me pretty quickly towards
SQLCipher for Android.
This seems to do the job fairly effortlessly and looks fine. However the main point of contention here is the encryption/decryption key. Basically all the examples hard code the key into the code. Any hacker worth their salt should be able to decompile the code and get the key, rendering the encryption useless.
I've seen
examples where people have used the NDK to generate .so files and store the key there, but the same issue applies. People can decompile the .so files and get the key.
I was thinking another option is to have the key stored on the same server as the data that's downloaded and stored in the DB, but then you're just passing the problem down the line, and requiring the server to handle the security, and hoping there's no wireshark trickery that can extract the key.
Does anyone have experience with encrypting the database? I'd love to hear some tips and best practices on how other people have achieved this.