d408fe4dd9
## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)
8 lines
1.1 KiB
Plaintext
8 lines
1.1 KiB
Plaintext
Mobile applications often need to store data (which might be sensitive) locally. For Android, there exist several libraries that simplify this process by offering a feature-rich database system. https://www.zetetic.net/sqlcipher/[SQLCipher] and https://realm.io/[Realm] are examples of such libraries. These libraries often add support for database encryption, to protect the contents from being read by other apps or by attackers.
|
|
|
|
When using encryption for such a database, it is important that the encryption key stays secret. If this key is hardcoded in the application, then it should be considered compromised. The key will be known by anyone with access to the application's binary code or source code. This means that the sensitive encrypted data can be decrypted by anyone having access to the binary of the mobile application.
|
|
|
|
Furthermore, if the key is hardcoded, it is the same for every user. A compromise of this encryption key implicates every user of the app.
|
|
|
|
The encryption key is meant to stay secret and should not be hard-coded in the application as it would mean that:
|