Unencrypted SQLite Database security risk – #4 DIVA Solution

Android uses SQLite database to save things locally within the device internal memory as managed Relational Database Management System (RDBMS). Majorly used to save app activity or user’s personal details or transaction logs or state of the app by developers. SQLite Database files by default are saved inside app Sandbox directory i.e.  /data/data/AppPackageName/databases. However many time there might be some apps using SQLite outside this databases folder within the Sandbox as well. To identify SQLite files you should look for some common extensions like .sqlite, .db, filename without extension sometimes. There is one more way to identify unencrypted SQLite Databases, just view the content of the file, such database files have SQLite header in their first line.

 

 

The video demonstrates DIVA app, that app login information is visible in clear-text from SQLite Database named ids2 of the App. As mentioned below you can view content of unencrypted SQLite DB using a rooted physical device / emulator. ( Make sure you fill in the data and save it first, then only SQLite DB would be populated )


Download
DIVA.apk

  • Obtaining SQLite DB from device to your computer
    With ADB Configured in your laptop/computer, connecting physical device via USB & granting ADB connectivity or emulator works directly. Using below commands we can access SQLite DB file:

Method – 1 ADB Pull directly (might fail because of file permission on few rooted devices)

 

Method – 2 Solution for above adb pull, if you get permission denied error

 

Method – 3 Using Android Monitor – GUI interface which comes by default within Android Studio as shown in the above youtube video.

 

  • Reading content within SQLite DB.

Once you have copied the database into your local computer, you can use commandline SQLite or SQLite DB Browser (GUI based desktop program) or SQLite Viewer browser plugin.

Command line syntax is as below:

sqlite3 database_name

.tables

select * from table_name ;

 

Tip :

There are many SQLite Manager apps from Android Play Store, which can read and show table content within SQLite file directly within the device.

 

Although SQLite DB saved is protected via Sandbox, yet there are few catch which voids App Sandbox protection mechanism for SQLite DB. Easiest is having a Rooted device (with plenty of tweaks motivating millions of users to root devices). With SU (super user) privilege any apps can read files from Sandbox of any other Apps. In case if device is not rooted and if app is installed with AndroidManifest.xml containing debuggable=’true’, still files protected by sandbox can be easily accessed from outside. Or if AndroidManifest.xml contains allowBackup=’true’ then using ADB backup sandbox files can be pulled connecting to a computer (however ADB permission needs to be granted from the phone).

Realizing the above facts its recommended not to save any sensitive information in cleartext within SQLite DB such as user personal details, login credentials, Bank details, credit-debit card details, Tokens, PIN, health data, transactional logs, cookies, etc.

Remediation

  • Best solution is not to save anything within the apk Sandbox directory in plaintext – either generating it on run time via user input or bringing details making a secure HTTPS call over the internet.
  • Saving passwords only after Salting + Hashing them with strong algo. like SHA2 or Bcrypt
  • Using Android Keystore which allows to store encryption keys safe even on rooted devices, and using these keys to encrypt sensitive data and then save it in SQLite DB.

Report Errors + Bugs & Become Insider for Nestedif.com

We would like to hear you, if you find any error or misspelled phrase while reading our tutorials. By reporting mistakes through email to insider@nestedif.com you could help other peers.