Buenas tardes,
I explain the scenario in more detail:
Suppose I am developing an application for android, and it needs to make queries to an external database (mysql server for example), even if it is only once.
I was surfing the web for a while regarding this topic, and as I have found, doing this from the same android application is dangerous and such a practice is not recommended. Since they maintain that by doing that, if some malicious person uses the correct tools, they take the application and decompile it... they will already have the database credentials (Obviously this is already mega dangerous) .
I know that more than one application must do something of this caliber... make a single query process to the mysql server (SQL SERVER, APACHE, WHATEVER) and load the necessary data to the client application using SQLite.
So I come up with the following question:
How then, could I connect to an external database securely?
Any Android App can be reverse engineered, there is no way around that except proguard-rules. So that can't be your fear. If the data transmission is done through a means that is definitely insecure, then you have no way of controlling it either, and if someone hacks the server where the DB is, it has nothing to do with the App either.
So make queries to your server from the App without fear, that is not the real security hole. And because they decompile the app, don't worry either, apps are made for that, to be decompiled.
As such, you define the protection mechanisms in your architecture, having said this, it is generally optimal that the applications do not have a direct connection to the BBDD but make a request to a Web Service which has an active SSL Certificate that protects your communication and authenticate users in order to access the data. You could read this in this IBM post where it also talks about transport level security.
Now, if for some reason your application allows a user to connect to a database that you configure, you are very dependent on the level of security that the database has active, with which, if it does not travel through an encrypted connection, a sniffer could capture the information; however, you could prevent someone from extracting the connection string from the application by encrypting the data so as not to leave it so simple, eg a public key, a password defined by the user or even in mobiles that support it with the user's fingerprint using the FingerprintManager APIs on Android.