Database security

[anees17861]

Is your feature request related to a problem? Please describe. Since any node can be provisioned into the network with netKey and an appKey, an attacker who gets hold of the keys can add a new node for listening in. While going through the source code, I could not find any security on the database that stores these keys. Although android provides sandbox storage for each app, it is still easily accessible on a rooted phone.

Describe the solution you'd like Please add option to use something like SQLCipher to encrypt the database. The key to be used can either be generated by the mesh lib and stored in key-store or be provided by app where app will have the responsibility of securing the key.

Describe alternatives you've considered I have considered exporting the network, storing in encrypted format when app goes to background and then delete it from the mesh lib. When coming to foreground, import the network. But this causes loss of sequence number and doesn't address the issue.

[roshanrajaratnam]

Hi thanks for pointing this out. This indeed is a known drawback in the library as of now. We'll try to get this fixed for the next release.