SQLite query not returning expected results despite correct hashing and comparison in Android application

Question

I'm facing an issue with comparing a hashed email value stored as a BLOB in an SQLite database with a hash generated from an email address in my Android application. Here's a simplified version of my code:

@SuppressLint("Range")
public UserCredentials findUserCredentials(String email) throws DBFindException {
    SQLiteDatabase db = null;
    Cursor cursor = null;
    UserCredentials userCredentials = null;

    try {
        db = open();
        byte[] emailHash = SecurityService.hash(SerializationUtils.serialize(email));

        String selection = EMAIL_HASH + "=?";
        String[] selectionArgs = {new String(emailHash, StandardCharsets.UTF_8)};
        cursor = db.query(TABLE_NAME, null, selection, selectionArgs, null, null, null);

        if (cursor != null && cursor.moveToFirst()) {
            byte[] passwordBytes = cursor.getBlob(cursor.getColumnIndex(PASSWORD));
            byte[] salt = cursor.getBlob(cursor.getColumnIndex(PASSWORD_SALT));
            if (passwordBytes != null && salt != null) {
                HashData hashData = new HashData(passwordBytes, salt);
                userCredentials = new UserCredentials(cursor.getLong(cursor.getColumnIndex(ID)), hashData);
            }
        }
    } catch (SQLiteException | SerializationException | HashException exception) {
        throw new DBFindException("Failed to findUserCredentials from user with email (" + email + ")", exception);
    } finally {
        if (cursor != null)
            cursor.close();
        close(db);
    }

    return userCredentials;
}

Despite ensuring that the hash generated from the email address matches the value stored in the database, the query doesn't return any results. I suspect the issue might be related to how I'm passing the hashed value as an argument in the selectionArgs. However, even after converting the hash to hexadecimal format for comparison, the problem persists.

Could someone please advise on what might be causing this issue or suggest any potential solutions?

PS: This is the code snippet I'm using for 'getContentValues during the insert operation, where EMAIL_HASH is a column in the database and user.getEmail() returns a String:

contentValues.put(EMAIL_HASH, SecurityService.hash(SerializationUtils.serialize(user.getEmail())));

Answer 1

Make sure that you're using the same hashing algorithm and encoding/decoding mechanisms when generating and comparing the hashed values. Any discrepancy in the hashing process can lead to mismatched values.

Here's a modified version of your code snippet that demonstrates how you can encode the hashed values as hexadecimal strings:

String emailHashHex = bytesToHex(emailHash); // Convert byte array to hexadecimal string

String selection = EMAIL_HASH + "=?";
String[] selectionArgs = { emailHashHex };

// Helper method to convert byte array to hexadecimal string
private String bytesToHex(byte[] bytes) {
    StringBuilder sb = new StringBuilder();
    for (byte b : bytes) {
        sb.append(String.format("%02x", b));
    }
    return sb.toString();
}

By ensuring consistent encoding and decoding mechanisms and using hexadecimal encoding for comparison, you should be able to compare the hashed values successfully in your SQLite query.