移动数据库最安全的策略 [英] Most secure strategy for mobile database

问题描述

我要同时开发iOS和Android的应用程序。这个程序使用敏感数据的一小SQLite数据库，并根据用户的输入，这让一些过程与此数据。这个过程中作出后，该数据库将不再访问，除非用户已经进入一个新的输入（它不是可能的，出现这种情况）。

由于数据库中有敏感数据，我要保护它。我知道是不可能得到完整的保护功能，但我想使生活为可能的攻击者更难了。

和，因为我不知道太多关于安全性我不知道什么是考虑到困难/安全的最佳替代品。

我想在两个备选方案：

1）包含在应用程序的数据库，加密和混淆。

但我想这不会是非常困难的一个根深蒂固的Andr​​oid获取数据库中。

2）具有存储在服务器的数据库中，每个用户进入应用程序下载的数据库输入时间，这个过程是由之后，我从应用程序中删除数据库。

但这个过程可能需要5-10分钟，也许这段时间足以让从应用程序数据库，所以我不得不添加相同的保护1）加在服务器保护。

这将是最好的选择（难/安全性）？将会有任何其他选项？

我试过几个谷歌搜索，但我与所有的信息混淆视听，我想与庞大的尝试确认该社区。

更新：

好了，看完你的答案我倾向于有一个后端，而不是数据库下载到应用程序。这不是客户端的preferred的解决方案，但它似乎是最好的迄今为止所以我会尽力说服它。
总之，由于过程的类型的应用程序必须做我不知道是否有可能与后端。
因为它是一个完整的不同问题，我想问一下在其他线程：从应用远程sqlite的查询

新的更新：

我一直在想这和因为过程太复杂我没有找到一个好的解决办法。我想过的东西，我想知道这是否是可能的，或者如果它有没有意义（抱歉，但我不知道太多关于后台开发）。

服务器 - >我的SQLite数据库和放大器; PHP Web服务

设备 - >与用户输入一个txt文件（20MB）

1. 设备：在设备txt文件为com pressed（10MB）


2. 设备：该应用程序txt文件发送到通过POST的Web服务的服务器


3. 服务器：该txt文件被存储在服务器


4. 服务器：这个TXT文件是DECOM pressed


5. 服务器：这个TXT文件加载到我的SQLite数据库内的新表InputTable


6. 服务器：a。新表UserFinalDataTable（几乎10000行）创建赚很多使用InputTable和我的数据库的其余部分的查询


7. 服务器：UserFinalDataTable被转换成JSON和sended回设备作为响应于调用在步骤2中的Web服务


8. 设备：该应用程序收到此JSON并将其转换为后话了应用程序非常有用

这是可能的，或者任何（如果不是全部）的步骤是不可能实现的？

解决方案

最安全可靠的方法是存储你的服务器以对称加密算法加密的数据库。更妙的是，如果您还使用最重要的是如果可能的非对称加密算法，具有某种向前保密的，如果你的服务器被黑客攻击。这一切都取决于你想要达到什么样的安全程度。

的另一种方法是将数据库存储与服务器的加密密钥的设备上，需要发数据库服务器进行解密，并返回解密后的输出时。虽然这没有意义在大多数情况下，尤其是你的了。

I have to develop an app both for iOS and Android. This app uses a small sqlite database with sensitive data, and depending on the user's input, it makes some process with this data. After this process is made, the database is no longer accessed unless the user has to enter a new input (it's not probable that this happens).

Since the database has sensitive data I have to protect it. I know is impossible to get a complete protection but I would like to make life harder for a possible attacker.

And since I don't know too much about security I'm not sure what would be the best alternative taking into account "difficulty / security".

I've thought in two alternatives:

1) Include the database in the apps and encrypt or obfuscate it.

But I guess it wouldn't be very difficult to get the database with a rooted Android.

2) Have the database stored in a server, each time the user enters the input the app downloads the database, the process is made and after that I remove the database from the app.

But the process takes 5-10 minutes and maybe this time is enough to get the database from the app, so I would have to add the same protection as in 1) plus a protection in the server.

Which would be the best option (difficult / security)? There would be any other options?

I've tried several Google searches but I'm confuse with all that information and I would like to try with the huge acknowledge of this community.

UPDATED:

Well, reading your answers I'm inclined to have a backend and not download the database to the app. It's not the preferred solution of the client, but it seem is the best by far so I'll try to convince it. Anyway, due to the type of process the app has to do I'm not sure if it's possible with a backend. Since it's a complete different question I would like to ask it in other thread: Remote sqlite queries from app

NEW UPDATE:

I keep thinking in this and I don't find a good solution because the process is too complex. I've thought in something I would like to know if it's possible or if it has no sense (sorry but I don't know too much about backend development).

SERVER -> my sqlite database & PHP web services

DEVICE -> a txt file with user inputs (20MB)

1. Device: In the device the txt file is compressed (10MB)
2. Device: The app send the txt file to the server via POST web service.
3. Server: This txt file is stored in the server.
4. Server: This txt file is decompressed.
5. Server: This txt file is loaded into a new table InputTable inside my sqlite database.
6. Server: A new table UserFinalDataTable (almost 10000 rows) is created making lots of queries using InputTable and the rest of my database.
7. Server: UserFinalDataTable is converted into JSON and sended back to the device as the response to the web service called in step 2.
8. Device: The app receive this JSON and converts it to something useful for the app.

Is this possible or any (if not all) of the steps is impossible to achieve?

解决方案

The most secure and reliable way is to store the database on your server encrypted with a symmetric encryption algorithm. Better yet if you also use an asymmetric encryption algorithm on top of that, if possible with some sort of forward secrecy, in case your server gets hacked. It all depends on what degree of security you want to achieve.

Another way would be to store the database on the device with the server's encryption key, when needed send the database to your server for decryption and return the decrypted output. Although this doesn't make sense in most situations, especially yours.

这篇关于移动数据库最安全的策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！