Mobile applications often need to store data (which might be sensitive) locally. For Android, there exist several libraries that simplify this
process by offering a feature-rich database system. SQLCipher and Realm are examples of such libraries. These libraries often add support for database encryption, to protect the contents
from being read by other apps or by attackers.
When using encryption for such a database, it is important that the encryption key stays secret. If this key is hardcoded in the application, then
it should be considered compromised. The key will be known by anyone with access to the application’s binary code or source code. This means that the
sensitive encrypted data can be decrypted by anyone having access to the binary of the mobile application.
Furthermore, if the key is hardcoded, it is the same for every user. A compromise of this encryption key implicates every user of the app.
The encryption key is meant to stay secret and should not be hard-coded in the application as it would mean that:
What is the potential impact?
If an attacker is able to find the encryption key for the mobile database, this can potentially have severe consequences.
Theft of sensitive data
If a mobile database is encrypted, it is likely to contain data that is sensitive for the user or the app publisher. For example, it can contain
personally identifiable information (PII), financial data, login credentials, or other sensitive user data.
By not protecting the encryption key properly, it becomes very easy for an attacker to recover it and then decrypt the mobile database. At that
point, the theft of sensitive data might lead to identity theft, financial fraud, and other forms of malicious activities.
