I have a Cordova app on iOS that currently stores data using localStorage for offline use. This data can be viewed in plain text if the user has root access (either on a jailbroken phone or with sideloaded apps).
I would like to secure this data. Ideally I would just store this in KeyChain but it is disabled on the clients devices. I've thought about encrypting the data but it will be easy to reverse engineer any javascript implementation.
Any suggestions? Thanks.
Related
im have designed a complete mobile app.
The user has to login with their credientails in order to access the app. However, I am unsure where to store the credentials once he/she signs in. I will be reusing the username throughout different screens in the app. Where can I store them and how can i access them? is there such thing as a global variable for instance?
Also, say a user logged in the first time. I want the user to be able to shut down the app. Once the user comes back, he/she should not be asked to reenter their credentials. How can that be done?
Thanks
Luckily, all these infos are available on the official React Native docs.
https://reactnative.dev/docs/security#storing-sensitive-info
For persisted user data, choose the right type of storage based on its sensitivity. As your app is used, you’ll often find the need to save data on the device, whether to support your app being used offline, cut down on network requests or save your user’s access token between sessions so they wouldn’t have to re-authenticate each time they use the app.
The usual way to achieve that is by using the secure storage of each platform.
iOS - Keychain Services
Keychain Services allows you to securely store small chunks of sensitive info for the user. This is an ideal place to store certificates, tokens, passwords, and any other sensitive information that doesn’t belong in Async Storage.
Android - Secure Shared Preferences
Shared Preferences is the Android equivalent for a persistent key-value data store. Data in Shared Preferences is not encrypted by default, but Encrypted Shared Preferences wraps the Shared Preferences class for Android, and automatically encrypts keys and values.
Android - Keystore
The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device.
In order to use iOS Keychain services or Android Secure Shared Preferences, you can either write a bridge yourself or use a library which wraps them for you and provides a unified API at your own risk. Some libraries to consider:
expo-secure-store
react-native-keychain
react-native-sensitive-info - secure for iOS, but uses Android Shared
Preferences for Android (which is not secure by default). There is
however a branch that uses Android Keystore.
redux-persist-sensitive-storage - wraps react-native-sensitive-info
for Redux.
More on that here: https://reactnative.dev/docs/security#secure-storage
I have a application free and pro version, in this application user can store the values in localstorage values. But main problem is, if the user buy the paid version, they need some localstroage values from free version.
I think, we can access that application localstorage values using 64bit API key. But I can not search like that.
I can done it through user login and upload the localstorage value to my database and etc. But my application don't have the login process.
If the free and paid versions are separate android applications then localStorage cannot be shared as it is application-contained
I need to build a PHP/MySQL app that allows offline access on iPads (for travelling salesmen often in deep country without internet connection). I have to manage a daily (or on demand when the device is online) sync between the local data and my remote server. I have a large database, which cannot fit in the 5M localStorage limitation. IndexedDB or Filesystem API are not available on Safari (according to http://caniuse.com/).
Is there other ways that would be appropriate to get it done?
Can't you use WebSQL? ( see question What is the maximum size of a Web SQL DB in iOS (Safari) on the iPad? How about LocalStorage? ).
If you coded it for LocalStorage you could easily use that LocalStorage API to access WebSQL on iOS devices...
Perhaps a jump to PhoneGap would solve some of your problems?
Do you need to store ALL data from your database?
I have a library for doing Syncrhonization, it's LocalStorage at the moment but the next update will allow me to use nearly any storage mechanism as it only needs one index. Purging data that is no longer required is on the list too... It's located at https://github.com/forbesmyester/SyncIt and you can even see a presentation courtesy of SkillsMatter / LondonAJAX.
I need to ask for some advice regarding offline web applications and database sync.
Offline Scenario
We have a web site (HTML5) that needs to operate in an offline mode for extended periods of time with complex data, the product owner does not want the data put into local storage.
We have two options as I see it;
Use javascript to detect if we are offlline and if so point the urls to a local web server that replicates the stack at the data center and writes to an offline db
◦Biggest stumbling block is how, on the first load if you are offline do you get the location (URL) of the local web server? i.e. user goes to www.xyz.com, but you are offline so
Question 1: how to redirect him to localhost.xyz.com via javascript for that first call
Point all calls at the client , offline or not to a wcf service that checks offline status at the NIC and redirects every web and service call to the correct place
◦seems like a big job,
Question 2: is there any product/ opensource project you guys know off that does this?
Sync Scenario
•They want to use MS sync framework
◦But they have many clients syncing to different database, so you either need 1 sync service per client or some way to identify who the client syncing is and point them to the correct place
◦Need to minimize locking during sync as other clients are using the same tables during sync
Question 3: can the sync framework be extended to even do this
Question 4: What other options exist for database sync on MS platform?
Thanks
If the user puts the URL into their browser, they are going to go that URL. There is no javascript at that point. You would only have Javascript once a page is loaded. You will have to search for a better solution.
Here is an idea: Users ALWAYS go to the local website, and if the remote site is up, then you redirect them.
In terms of MS sync I do not know what it is, so I cannot help you there.
Re What other options exist for database sync on MS platform: there is also SQL Azure Data Sync, a windows azure web service. It is actually built upon the Microsoft Sync Framework you refer to.
There is an example in the book "Programming Microsoft SQL Server 2012" by Leonard Lobel & Andrew Brust (MS Press) - chapter 13 covers building occasionally connected systems that incorporate SQL Azure Data Sync, Windows Azure and the Windows Phone 7 development platform. In the sample solution, on the back end, an on-premise SQL Server database is kept synchronized with a public facing SQL Azure database in the cloud using SQL Azure Data Sync. The cloud database is exposed using WCF Data Services (also hosted in the cloud by deploying to Windows Azure) and consumed via OData by a mobile client application running on a Windows Phone 7 device. The sample solution detailed in the chapter demonstrates how these technologies work to keep data in sync across on-premise SQL Server, SQL Azure databases in the cloud, and local storage on Windows Phone 7 devices.
Sync Framework do not lock tables when synching.
depending on what client database you want to use on the client, you can either use Sync Framework itself which works with MS databases (SQL CE, SQL Express,LocalDB,SQL Server, SQL Azure) or you can use the Sync Framework Toolkit
whichever platform you choose, i would suggest simply writing to the local store and synching it rather than dynamically choosing which store to use when.
for example, if you went offline and you wrote to the local store. then your network monitor detects you are back online and redirects you to the online service, what would you do with the data you stored locally? or you transacted online and you suddenly went offline, how recent/updated is the local store for you to actually starting working agaisnt it?
You could use Service-Workers to make the website work while users are offline. see: Making PWAs work offline with Service workers. This allows your website to work for the users if they are offline (they need to have internet at least once every 24 hours).
Service-Workers also allows you to detect when your user is offline or online, and you can for example use the IndexedDB to store your offline changes and then synchronize them when the user is online again.
I don't know about MS Sync.
We are considering using Titanium to develop for Android and iPhone version of an application originally made for Blackberry. However, we want the authenticate the device and not through the traditional method (username + password). In the case of Blackberry, we use Blackberry PIN to authenticate devices against a database of a web service. We think using the IMEI of the device, but do not know how safe it is.
Does anyone know a way to authenticate a device using a similar method? Is it possible to extract the IMEI of a team using Titanium?
There are standard calls that allow us to authenticate by MEID on handset, (PlatformMgr.getPlatform().getDeviceId() comes to mind for android). You can get this and encrypt it with AES 128-bit encryption (IcryptoManager package) and use it for authentication.
I dont remember off the top of my head for iphone but I am sure something similar exists there too.