Is watermelon safe to store sensitive data? #51
Comments
|
On iOS, the database file (like all files) are encrypted. Other apps can't read it. And the encryption keys are entangled with a unique device ID and users password, so it's not possible to read the file unless phone is unlocked. API tokens etc should be stored in the Keychain, however. I don't know about Android — @rozPierog ? |
|
Android approach to this is not great, to say at least. All database files are kept in apps |
|
We should make some research into SQLite encryption then @rozPierog — I assume there's some Keychain-like API on Android for storing sensitive keys (like a database encryption key), right? And I know that SQLite has encryption capabilities on top of it (but we'd have to bundle our own version of sqlite into the app in that case) |
|
@rozPierog OK — can you add this to 🍉 backlog in Nozbe? We should probably research this for our purposes. |
|
@ikhsanalatsary Does this answer your questions? If so, please close the issue :) |
|
@radex Yes, I hope it will implement it in this lib. thank you so much for the answer |
|
@rozPierog @radex can we use this library https://www.zetetic.net/sqlcipher/sqlcipher-for-android/ in android side for encryption purpose and fmdb/sqlcipher for iOS? |
|
@waqas19921 I don't think it's necessary on iOS:
It would matter only for jailbroken phones with sandboxing disabled, I think. And yes, encrypting sqlite makes sense, and would be nice if it was an option — but as discussed above, this has consequences on app bundle size and performance. Would you like to do more research on this and contribute to this effort? |
|
Here I integrated sqlcipher master...y3g0r:feature/sqlcipher. It's quick and dirty, but it works for me so far. Maybe it will help somebody out there to get the idea on how to get sqlcipher working with WatermelonDB. PS. To WatermelonDB developers/maintainers: thank you so much for such a great project. |
I don't think (but I might be behind on some API) there's really a good encryption/safe key storage api on the web… But it would be great if there was...
Right! It's not actually difficult at all to set up memory databases in either, but it's not exposed to public API. It should be very easy to contribute an extra param or something for in-memory databases |
|
Is there a plan to integrate the approach by @y3g0r in the near future? We are currently evaluating to integrate WatermelonDB in our app, but encryption is a required feature and so it's quite sad that it could be the only showstopper. (I'm really lucky with the other features of the framework.) |
|
@radex Ok, I just implemented it on my own today as a proof of concept based on the idea of @y3g0r and it's changing quite many files when I provide it in a clean way. Nevertheless, it works! ...and I could provided it as pull request in a way that it could be used as an option for Android to enable users to have encrypted sqlite DBs there. Shall I provide it as a pull request for master or the newest release? I want to try to avoid as much merging effort as possible. |
|
@afiller please send pull requests to master |
|
@radex We needed to encrypt data in a project. When do you think the solution will be merged? |
|
@SebDev94 Likely in the month or so when I have more time to work on 🍉 -- would you like to contribute to the project as well? That would speed up the work |
|
Hi @radex, @rozPierog I'm interested in the issue and would like to contribute to getting it through if possible, but it's currently unclear what on #597 is missing except for the conflict. If you point me in the right direction and my skillset is compatible I'd be happy to give it a try to push it through the finish line. Is the current conflict the only blocker? |
|
Any news on this or should we use the fork? |
|
Any updates? |
|
Here is the work done and is also not finished yet #907 |
I just curious about it.
The text was updated successfully, but these errors were encountered: