Protecting the SQLite database

In my app I have a database which must be protected with a key to restrict other apps on this device from accessing it.

The problem is that I cannot get the signing key in runtime: whatever I do the CodeSigningKey.get(...) always returns null.

This is my code:

    final CodeSigningKey key = CodeSigningKey.get(AbstractDB.class);
    if (key != null) {
        Log.d("+ GOT SIGNING KEY");
        final DatabaseSecurityOptions secopt = new DatabaseSecurityOptions(key);
        db = DatabaseFactory.create(name,  secopt);
    } else {
        Log.d("- SIGNING KEY IS NULL");
    }

I have downloaded Signing Authority Tool and created a TEST.key using it, and put it in {project_root}/keys/TEST.key in my Eclipse project.

Also, I've doule-clicked TEST.key in Eclipse and selected AbstractDB class to be signed with it.

I run my app on a real device, not in the simulator.

I run it as follows:

1. start debugging on a device - this initiates packaging and siging the .cod file. (However, in the signing tool window I get a warning about my TEST.key: "Not registered" and "Please contact the signer and register with the Signing Authority.")

2. with Signing Authority Tool I sign my .cod file obtained on step 1 using my TEST.key

3. I click debug on device once again, and the signing tool signs the main .cod file again, and then the app starts on the device.

However, the key I get from CodeSigningKey.get(..) is always null.

What do I do wrong?

Solution

After a hint from Michael I was able to resolve this problem.

First of all, indeed I needed an object instance in CodeSigningKey.get(...). However, there is one thing you should aware of: if your object extends some classes and/or implements some interfaces, then ALL of those must be signed with same key in order to work. If any of ancestor classes/interfaces is not signed you will get null.

This can be a problem if your hierarchy is deep enough. Information about which classes are signed with which keys is stored in BlackBerry_App_Descri开发者_StackOverflowptor.xml, and copied into parameters of signing tool when you click Debug. It may happen that command line gets too long so the signing tool fails with "Invalid parameter" message in the console.

So I've extracted a class specially for the signing purpose:

final public class SignatureClass {
    private static final SignatureClass INSTANCE = new SignatureClass();

    private SignatureClass() { }

    public static CodeSigningKey getKey() {
        return CodeSigningKey.get(INSTANCE);
    }
}

I sign only this class with my key and use SignatureClass.getKey() to get the key.

PS: Also, if you move/rename classes or keys check that signing references in the BlackBerry_App_Descriptor.xml are valid. They aren't updated automatically.

Update

How to issue your own signing key properly.

In the process I've described above I had to sign the .cod file with a separate tool because the built-in signing tool gave error "Not registered" for my TEST.key. In order to fix this and have your .cod signed automatically in one go, do following steps.

1. After you have created your key with Signing Authority Tool, launch the WebAdmin utility included in that app. It offers you to create the keys database and launch the WebSigner service.

2. Having successfully started the WebAdmin, click menu Record->Add. You'll get a window where you can create a .csi file. Configure: number of requests - infinite; expiry date - never; email notifications - none; email CSI file - no. Click OK and you'll see a dialog with a generated PIN - save it for future use. The .csi file is generated and saved in /data folder in Signing Authority Tool.

3. Install the .csi file using Eclipse->Window->Preferences->BlackBerry plugin->Signature Tool->Install new keys and register it using the PIN from step 2.

Done. From now on, when signing with RIM keys you'll have your .cod automatically signed also with your key.

---

I believe you need an object instance from your app, instead of a class object. In this case 'this' ought to work.