Android SDK Database Encryption


You can encrypt the Android SDK database. There are 2 options to add encryption to the SDK database.

Option #1: Using a custom sqlite build with database encryption extension

The following steps describe using the sqleet database encryption extension, but you can use any sqlite database encryption extension.

  1. Go to the sqleet releases page.
  2. From the latest release, download or sqleet-v0.28.0-amalgamation.tar.gz.
  3. Extract the sqleet-v0.28.0-amalgamation file content.
  4. Rename the following files:
    • sqleet.h to sqlite3.h
    • sqleet.c to sqlite3.c
  5. Download the latest sqlite build.
  6. Extract the content of the file.
  7. Replace the sqlite3.h & sqlite3.c files in SQLite_Android_Bindings/sqlite3/src/main/jni/sqlite with the files you renamed on step #4.
  8. Open the SQLite_Android_Bindings folder as a project in Android Studio.
  9. Run the gradle assembleRelease.
  10. Open your application's project (the application that uses the sdk) in Android Studio.
  11. Click File -> New -> New Module.
  12. Select import Jar / AAR package.
  13. Select sqlite3-release.aar from the SQLite_Android_Bindings project in SQLite_Android_Bindings/sqlite3/build/outputs/aar.
  14. After the module is created, add the following to your application's build.gradle file dependencies:
    implementation project(path: ':sqlite3-release')
  15. In the "database" section of the MceConfig.json file, set the following:

    { "impl": "", "encrypted": true }
  1. Your application will now run with an encrypted sdk database.

Optional settings:

You can add the following to the "database" section of the MceConfig.json file:

  1. "keyRotationIntervalInDays": <number of days>
    This will set the number of days that will pass between every database key rotation. The default is 30. The minimum is 1.
  2. "encryptionProvider": "<encryption provider class name>"
    The sdk defines a default encryption provider. This provider uses the keystore to store the key that encrypts the database secret key for Android 18 and above. For Android 17 and below, the sdk uses a code base encryption which is less secure. To have your own encryption you can start your own class that implements, and set this class' name as encryptionProvider. If you want to override our Android 17 and below encryption, you can extend the sdk encryption generator (package,push.sdk.encryption.DefaultSdkEncryptionProvider) and return your,push.sdk.api.encryption.EncryptionAlgorithm implementation only when OS level is 17 or below. Here is a sample code:
import android.os.Build;


public class SampeEncryptionProviderForAndroid17AndBelow extends DefaultSdkEncryptionProvider {
public EncryptionAlgorithm getEncryptionAlgorithm() {

{ return super.getEncryptionAlgorithm(); }else

{ // return your provider }}
  1. "keyGenerator": "<database secret key generator class name>"
    The sdk defines a default database secret key generator that uses a random UUID. If you want to use you own key generator, you can have your own implementation that implements and set your class name as "keyGenerator".

Upgrade, Downgrade an unencrypting options

  1. You can upgrade an older sdk version to an encrypted version.
  2. If you downgrade an encrypted version to an older sdk version that does not support encryption, the database will be erased and the sdk will start with a new database (all registration data will remain).
  3. If you want to replace an encrypted database with an unencrypted database using an encryption supporting sdk, keep the custom sqlite implementation and only change "encrypted" to false. After the application is updated and the database is unencrypted, your next update can be with the default sdk database ("impl":
    "" or no "impl" value at all) that is based on the Android OS sqlite version and you can remove the sqlite3-release package from your application project.

Option #2: Using a completely custom database

For your own custom database that is not based on the sdk code, you can create you own implementation based on the following API classes:

  1. Set "impl" in the "database" section of the MceConfig.json file to be the name of your class that implements
  2. The rest of the parameters in the "database" section are not relevant to fully custom databases.