Android Question How to secure data in the event an employee phone get stolen or loss?

[aeric]

Assume I am developing an Android app for a client and the engineers are provided with the devices and app. In case an engineer lost the phone or the device get stolen, the company have concern that the data will be fall into wrong hands.
To convince the client, what I can do?

Here are what I can do:

1. The app requires login and token expires (become invalid) within certain period of time, let say 1 or 3 days? 30 minutes? Always logout when remove from recent app?
2. Encrypt certain columns in SQLite
3. Use SQLCipher
4. Self destroy database using firebase push notification
5. Self destroy certain tables in SQLite on app start if user no login for certain period eg 3 days

Any more practical ways?
Please comment and recommend ??

 

[aeric]

Thanks @Intelemarketing and @sfsameer for so advanced suggestions.
I am thinking more simpler solutions.
I think password login and encrypted database are sufficient.
Maybe a timer or service running on the background to clear the data after a period of time.

 

[Alex_197]

1 - Android smartphone would be provided by the client to their engineer
2 - Most Android smartphones nowadays are equipped with GPS but there is no requirement on GPS tracking at the moment

but there is no requirement on GPS tracking at the moment - you right. We thought that we can somehow to get the location info from the incoming phone call but this info is available only to 911.

 

[Alex_197]

Thanks @Intelemarketing and @sfsameer for so advanced suggestions.
I am thinking more simpler solutions.
I think password login and encrypted database are sufficient.
Maybe a timer or service running on the background to clear the data after a period of time.

what I would suggest is to add a token into the url that the app sends to the server to sync the data - in this case you will know that this request was sent from the app, also you can encrypt this token and decrypt it on the server and then compare with the info on the server, just in case, even with SSL we're in a danger of the middle man

 

[tigrot]

Store db's encrypted key value on each phone when the app is started the first time reading it from a web service. The value for encryption key is reconstructed concatenating some separate piece of key, so also decompilation makes hard to get.
A two level encryption is hard to decode.

 

[MrKim]

Well, I would certainly encrypt the data using the users password plus some additional complications, regardless.

Another option, since the data on the device is a shop floor requirement that presumes it is only used during certain hours and or in certain locations. This means you could just delete the data after hours or when out of range and have them reload it when they come to work the next day.