Security of SQLite databases

Your SQLite database can have the following security settings:

  • Not encrypted, accessible from any application on the BlackBerry device
  • Encrypted, accessible from any application on the device
  • Encrypted and protected, accessible only from applications on the device that are signed with the code signing key

There is no way to create a non-encrypted database and restrict its usage to only one application. That is because there are other ways (using file I/O operations) to read a non-encrypted database file from other applications.

You implement both encryption and protection with the DatabaseSecurityOptions class.

Encryption

The algorithm used to implement SQLite encryption is AES 256.

An encrypted database cannot be moved to another device: it can be opened only on the device where it was originally created. To transfer an encrypted database to another device, you must first decrypt it.

An application can open or create an encrypted database only when the device is unlocked. If a database is open when a device is locked, the database continues to be readable and writable.

Encryption does not protect your database from being accessible to other applications on the device. To restrict access, you must sign the database with a code signing key.

The following code sample creates a database that is encrypted but not signed. It creates a DatabaseSecurityOptions object called dbso that passes true as the single parameter value:

try
{
        URI myURI = URI.create("file:///SDCard/Databases/SQLite_Guide/" +
        "MyEncryptedDatabase.db");
        DatabaseSecurityOptions dbso = new DatabaseSecurityOptions(true);
        d = DatabaseFactory.create(myURI,dbso);
        d.close();
}
catch ( Exception e )
{
        System.out.println( e.getMessage() );
        e.printStackTrace();
}

Encryption and protection

If you want to restrict a database so that it can be accessed only by the application it is a part of, you should sign the database with a code signing key. To restrict access to one application, you should use a unique key that you generate using the Signing Authority tool. This signing is separate from the code signing you do for controlled APIs.

You can also use the code signing key to share access to the database with other specific applications. When multiple applications are signed with the same key, they all have access to the database.

To specify that a database is encrypted and signed, you have a choice of two identical constructors. The following code sample encrypts and protects an existing database. First, the code sample retrieves the code signing key from a file called XYZ. It then encrypts and signs the database. If the database is already encrypted, the method exits gracefully.

CodeSigningKey codeSigningKey = 
     CodeSigningKey.get(CodeModuleManager.getModuleHandle( "SQLiteDemo" ), "XYZ");
    
       try
       {
           DatabaseFactory.encrypt(uri, new DatabaseSecurityOptions(codeSigningKey));
       }
       catch(DatabaseException dbe)
       {
           errorDialog("Encryption failed - " + dbe.toString());         
       }
Previous topic: Simulate a media card

Was this information helpful? Send us your comments.