Android Assets database security issues?
https://stackoverflow.com/questions/13015976
-
13-07-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm looking at this page, which explains how to use a database in the local Android project (in Assets), to populate the application standard database (managed by Android, in data/...) like this. In this way all the data in the assets database are readable in the apk freely, right?
This is not a good way to store data if in the database there is personal info or certificates. What is the best way store big info data in assets db and personal data in res/xml or res/values? Is there a recommended way to store personal data?
Solution
APK files in Android are world-readable by default, so storing sensitive data in there is not a good idea. On JellyBean and later, the app can be forward-locked (aka 'app encryption') which will ensure that your private assets cannot be read by other applications. This is done automatically for paid apps.
The best way would be to not store the data in the APK but download it on first install. You can use Google Play expansion files, which require authentication to download or come up with your own solution.
You could store them in some encrypted form and then decrypt them on first run, but then you will have key management issues.
OTHER TIPS
As luck would have it I was reading about this today. The Android Dev guide suggests that you use internal storage for private data as it is inaccessible to other apps or the user. See http://developer.android.com/guide/topics/data/data-storage.html#filesInternal I hope that helps.
