Sorry about the red box, but we really need you to update your browser. Read this excellent article if you're wondering why we are no longer supporting this browser version. Go to Browse Happy for browser suggestions and how to update.

Security of SQLite databases

Your SQLite database can have one of the following levels of security:

  • No encryption: A plaintext file that is accessible from any app on a BlackBerry smartphone.
  • Encryption: An encrypted file that is accessible from any app on the smartphone.
  • Encryption and protection: An encrypted file that is accessible only from apps on the smartphone that are signed with the same code signing key.
  • Content protection in addition to encryption and protection: An encrypted and protected file that uses content protection to encrypt the SQLite master key and provide extra protection when the smartphone is locked.

Applications with sensitive information should use encrypted and protected databases to prevent other applications from using the attach method to access them.

There is no way to restrict access to a plaintext database because it can be read with file I/O operations.

The following sections describe each of the levels of security.

Encryption

Encryption helps prevent someone from copying files from a smartphone and reading them. The algorithm used to implement SQLite encryption is AES-256.

To transfer an encrypted database to another smartphone, you must first decrypt it.

An app can open or create an encrypted database only when the smartphone is unlocked. If a database is open when a smartphone is locked, the database continues to be readable and writable.

Encryption does not prevent other applications on the smartphone from accessing your database. To restrict access, you must protect your database by signing it with a code signing key.

The following code sample creates a database that is encrypted but not signed. It creates a DatabaseSecurityOptions object called dbso that passes true as the single parameter value.

try
{
    URI myURI = URI.create("file:///SDCard/Databases/SQLite_Guide/" +
    "MyEncryptedDatabase.db");
    DatabaseSecurityOptions dbso = new DatabaseSecurityOptions(true);
    d = DatabaseFactory.create(myURI,dbso);
    d.close();
}
catch ( Exception e )
{
    System.out.println( e.getMessage() );
    e.printStackTrace();
}

Encryption and protection

If you want to restrict a database so that it can be accessed only by the app that it is a part of, you must sign the database with a code signing key. To restrict access to one app, you should use a unique key that you generate using the BlackBerry Signing Authority Tool. This signing is separate from the code signing you do for controlled APIs.

You can also use the code signing key to share access to the database with other specific apps. When multiple apps are signed with the same key, they all have access to the database.

The following code sample encrypts and protects an existing database. First, the code sample retrieves the code signing key from a file called XYZ. Next, it encrypts and signs the database. If the database is already encrypted, the encrypt method exits gracefully.

CodeSigningKey codeSigningKey = 
    CodeSigningKey.get(CodeModuleManager.getModuleHandle( "SQLiteDemo" ), "XYZ");
    
try
    {
    DatabaseFactory.encrypt(uri, new DatabaseSecurityOptions(codeSigningKey));
    }
    catch(DatabaseException dbe)
    {
    errorDialog("Encryption failed - " + dbe.toString());         
    }

Content protection in addition to encryption and protection

Content protection encrypts encryption keys so that they are inaccessible when the smartphone is locked.

Even when a database file is encrypted, the maximum protection level is achieved when content protection is turned on. With content protection, an application can open or create an encrypted database only when the smartphone is unlocked.

An encrypted database should be closed as soon as possible. An open database connection might be susceptible to cold boot attacks.

For more information about content protection, see the BlackBerry Java SDK Security Guide, available at www.blackberry.com/go/devguides.

Code sample: Creating an encrypted SQLite database

By default, database files are stored on a media card. If you are using a BlackBerry Smartphone Simulator, you might need to simulate a media card.

import net.rim.device.api.ui.*;
import net.rim.device.api.ui.component.*;
import net.rim.device.api.ui.container.*;
import net.rim.device.api.database.*;
import net.rim.device.api.io.*;

public class CreateEncryptedDatabase extends UiApplication
{
   public static void main(String[] args)
   {
      CreateEncryptedDatabase theApp = new CreateEncryptedDatabase(); 
      theApp.enterEventDispatcher();
   }

   public CreateEncryptedDatabase()
   { 
      pushScreen(new CreateEncryptedDatabaseScreen());
   }
}

class CreateEncryptedDatabaseScreen extends MainScreen
{
   Database d; 
   public CreateEncryptedDatabaseScreen()
   {
      LabelField title = new LabelField("SQLite Create Encrypted Database Sample",
      LabelField.ELLIPSIS |
      LabelField.USE_ALL_WIDTH);
      setTitle(title);
      add(new RichTextField("Creating an encrypted database called " +
      "MyEncryptedDatabase.db on the microSD card."));
      try
      {
         URI myURI = URI.create("file:///SDCard/Databases/SQLite_Guide/" +
         "MyEncryptedDatabase.db");
         DatabaseSecurityOptions dbso = new DatabaseSecurityOptions(true);
         d = DatabaseFactory.create(myURI,dbso);
         d.close();
      }
      catch ( Exception e )
      {
         System.out.println( e.getMessage() );
         e.printStackTrace();
      }
   }
}