Abstract:

The Android operating system offers several private data storage techniques that may be used in mobile applications. All data related to a given application may be stored in its private, sandboxed folder which is not accessible to other applications installed on the device. That assumption no longer holds if a malicious application obtains root privileges allowing to get access to the entire filesystem of the mobile device – in such a case the application’s private data may become easily accessible and will no longer be protected. In this paper, the concept of a secure data storage scheme utilizing sophisticated Android OS security mechanisms combined with password-based techniques deployed for protecting application data is presented. The efficient combination of user-provided secrets, hardware based keys and an SQLCipher database, as described in this paper, may be used for improving the level of security of Android applications.