I recently created a password manager using Java for my college project in OOP. To handle database I picked SQLite since using MySQL or SQL server was getting hectic for a small project. Though I am already done with the submission, I was thinking if I could do any further improvement in the project.
Biggest drawback that I have observed yet is that if anyone manages to find the location of database in the system (which is way too easy) it would be very simple to open the database.
Now here two problem arises -
User's password list will be visible
Anyone would be able to modify the data using SQLite manager.
In order to solve the first problem, I already used AES encryption and it is working just fine. However, the second problem still remains.
So in a nut shell, How can I prevent my SQLite DB to get modified except from the Password Manager itself?
Point to note that my application is just an offline Password Manager used on a household PC. So, you can consider the level of threat accordingly. Moreover, the Password Manager itself would have to modify the database content, so assigning the permission should be such that it should not prevent the application to do so.
Note: I was wondering if we can use the limitation of SQLite that only one connection to write the data can be established at a time. Using this the intruder won't be able to modify it. But, I am not sure how it can be implemented.
Restrict user access
Only the operating system can secure files against access by unauthorized persons. Put the database into a folder, which is only accessible by the current user, and have a separate database for each user.
Encryption
You're already encrypting the passwords, that's good. If you want to encrypt the whole database, you could have a look at the SQLite Encryption Extension.
The SQLite Encryption Extension (SEE) is an add-on to the public domain version of SQLite that allows an application to read and write encrypted database files.
Also have a look at the question SQLite with encryption/password protection.
Attack
What would actually happen if someone has access to the database file?
If the database is secured properly, the attacker is not able to get the plain passwords (at least not in reasonable time). In the worst case a password is replaced by another one, but that would achieve nothing, besides you using the wrong password and maybe resetting it. Therefore the worst case would be that you'll lose your saved passwords.
You can do nothing to prevent a data loss on a single machine. For example hard disks sometimes just stop working, someone could steal the whole PC, format the hard disk, etc.
Backups
If you really want to make sure that the data is not modified, you need to keep backups on different machines to minimize the possiblity that someone has access to all of them. For example you could upload the database file to a cloud service. Then you sign the file, so that you can see if a file was compromise and if so fallback to another version.
Conclusion
Your password manager is good enough for an offline tool. If you want to improve the data integrity you have to transfer the data to other machines.
Related
I am wondering if there is a way to cache arbitrary data from web requests onto the disk with Android. The flow I am thinking of is as follows:
The data is stored as a key value pair where the key is some identifier and the value is the raw data. Before actually making my web request, I check to see if the key is in the cache, if so, I skip making the web request. If the key does not exist in the cache, then I make the web request and store the data on the disk. I would like the cached data to be accessible across multiple runs of the app so that I don't have to make the web request again every time I start the app.
I was considering using SharedPreferences for this. Would SharedPreferences be the best way to go about this? Is it okay to store 1 megabyte of data in a single key in SharedPreferences?
The best solution to storing cache files is to store them in a cache directory. Luckily, the Android API provides a solution to this problem: Context#getCacheDir. You are able to create files in the directory returned, you can use a map to store an identifier for each file in order to retrieve them.
Although, this solution has a few limitations:
The system will automatically delete files in this directory as disk space is needed elsewhere on the device.
Cache data should only be used for temporary storage of information.
I may be coming late, but a couple years ago I made a library just for this:
https://github.com/fcopardo/EasyRest
The idea is to allow the app to operate with unstable or no connection without having to implement a secondary data layer for persisting data, instead, it keeps the responses for as long as you want, and refresh them without forcing the user to wait. Take a look, you may get some ideas.
I am currently developing a program in Java using NetBeans that manages expenses. In this program I used MySQL to store data. Now I want to ask that if I give the program to one of my friend, he would also have to install MySQL using the same password that I used. Is there a way in which he will not be required to install MySQL?
Now suppose if my friend already has MySQL, but with a different password. My program would not work in that case, and it would be hard to replace my password with his password in the code. Is there a way to make the program run on his PC?
Earlier once, I have used an Oxford dictionary program. That time I did not have Microsoft Access installed. When I installed Microsoft Access I came to know that all the words of the dictionary are stored in a Microsoft Access file. How can I do this? I.e. how can I use MySQL/Microsoft Access to store data without the need to install either of them?
You can use an in-memory database like H2 Database if you don't require a large amount of data
But I think you should make your db connection configurable by using a properties file
If you want everyone to be able to use the database, you need to run it on a server that people can access through the internet.
However if you don't care about them using the same database and just want them to use their own, you could for example create a small file named "config.ini" or something like that and put the login information (like the password) in there.
Then just read it in your code and use the info you read to log into your database.
That way, every new user will only have to change the config.ini file without ever having to touch the code.
The best solution in my opinion would be SQLite as it is light, and data can be stored locally in a desired location in a single file. H2 is more likely to be a developer tool.
This solution does not require additional software to be present on the user machine. Of course it has its limits, but as a simply storage for program dynamic data it is a good solution. It is worth mentioning that Android applications also can store their data in LiteSQL. It is a bit different approach there, but the principle stays the same.
I am trying to do an eclipse java android app using internal storage.
It is a notepad. What it should be able to do is write and save notes, search for them an edit them.
the most similar application of what I need is this:
http://developer.android.com/training/notepad/notepad-ex3.html
but I dont know how to modify if to use internal storage and not external, i also found this file that allows you to read and save in internal storage
http://www.androidaspect.com/2013/09/android-internal-storage-tutorial.html
but now i dont know how change the database for the inernal storage
Okay let's break it down. You want to make something that will let you take notes. Fair enough. You need the kind of storage that will make retrieval and insertion easier.
Let's start with a single text file that you store somewhere (internal or external). If you use this approach, inserting and deleting data becomes difficult because any changes will require you to make changes to the actual text. Not to mention, you will need to format your notes in a way so that you can differentiate one note from another.
Okay, so will using multiple text files solve this? In a way, yes, but you can go for a better approach using SQLite.
SQLiteDatabase has methods to create, delete, execute SQL commands,
and perform other common database management tasks.
SQLite seems like the prime candidate for your storage because it makes CRUD (Create, Read, Update, Delete) easier. Instead of trying to modify the code, start from scratch.
Have a look at this tutorial https://www.youtube.com/watch?v=j-IV87qQ00M
I'm currently building an Eclipse plugin which creates and stores sensitive data, let's say "highscores".
As users can simply unpack the jar file, they are able to see the source code of the project. Thus they are able to cheat and create a faked highscore file by either changing the data in the file itself or writing to the highscore file (as they know how the data is encrypted from the source code).
Can I encrypt my jar file so that users cannot read the source code, but the plugin is still working properly?
As greg-449 already commented, that when the code is with user, it can be hacked in one way or the another. If Encryption of secure data is not going to help, you can move the secure data on your server.
Impact would be, it is available only when the user is online.
Another solution, a bit complex one:
Don't store High Score at all. Store/ log the user's activities to calculate high score. make the logs encrypted to add more security. Use salt, timestamp and secure key while encryption and a checksum to prevent manual changes to the file.
My app picks up the GPS location of the user every 5 minutes, saves it and then sends it to a server.
The problem I'm facing is I need the data stored on the android SD card to be Crypted so no one except me on the server can access it. Also I need to think of a way to make sure that no-one has edited the data except me.
For the last I've thought writing the MD5 checksum of the file each time I close it so when the app opens the file it checkes the MD5 to see if they match.
The problem with this is I think it'll waste resources and battery as I'm already checking for the GPS location every 5 minutes.
Any ideas would be appreciated as for crypting data I've been unable to find the most secure way
Thanks!!!
EDIT: I've already checked subjects on cryptography but everything seems so think that it's vulnerable to anyone with a little time, that's why I'm asking!
You should store your data using Sqlite with SqlCipher:
http://sqlcipher.net/sqlcipher-for-android/
As you say, there is no way to completely prevent the data from being viewed/edited by a determined attacker, as you will have to expose your encryption key either in the program code or a save file somewhere on the system.
However no homegrown solution you or I could write would be any better, this is just the nature of the hardware/OS.
If you want the data safe from reading, I suggest you delete it after transmitting to the server.
Aside, if you're checking GPS every 5 minutes, there is hardly anything you could do that would be a noticeable battery drain compared to that.