[developernotes]

This paper highlights various possible attack vectors. SQLCipher would still be vulnerable to scenarios such as an active attacker on device/machine where the key is resident in RAM. If you are interested in the design features of SQLCipher, I would recommend reading this: https://www.zetetic.net/sqlcipher/design/

[problems]

> would still be vulnerable to scenarios such as an active attacker on device/machine where the key is resident in RAM

Doesn't this go without saying? Seems kind of ridiculous to try to protect against that attack vector at least on today's hardware.

[swordswinger12]

To protect against an attacker with physical access to a machine may indeed be futile, but it should be possible to provide some measure of security against a malicious process running on the machine.

Defending sensitive data if the DB process itself is compromised, again, seems pretty difficult. That was the original goal of the academic proposals like CryptDB or Cipherbase - defense even against a fully malicious database server.