15

I am (partly) following a tutorial to develop a cordova app, based on angularJS. The author stores the refresh token in local storage, which was said to be very bad practice in one of the comments on that same tutorial. This is confirmed in another stackexchange question. Best practice is then to store the refresh token in a secure HttpOnly cookie. OWASP also mentions this as a guideline, and again they argue to use cookies, which is not possible in a native app.

Now, I can see why it is bad practice when the app is available through the browser, but if I 'phonegap' the app (so that it becomes a native one) is it then also still bad practice to store the refresh token in local storage?

If so, where should I store the refresh token then, as cookies do not exist in 'native' apps?

Community
  • 1
Michael
  • 5,393
  • 2
  • 32
  • 57
  • Phonegap does not make a app native. The webview is native, but the application itself will still be code inside that webview. (And many things inside that webview can be fetched) – Malavos Oct 29 '14 at 13:56
  • And does this application inside that webview make use of private localStorage, or does it share its localStorage with other apps/browsers on the device? – Michael Oct 29 '14 at 14:20
  • True that. I'm removing my old comments to clear the comment section. Like I said, I'm not fitted to answer, but I find this question really good! – Malavos Oct 30 '14 at 16:31
  • @Michael: How did you end up implementing it? Did you store it encrypted in localStorage? How would you store the secret passphrase? Or did you use the File API? – Clawish Feb 27 '15 at 18:30
  • 1
    @Clawish, I stored it in localStorage. As it is a main concern for mobile OS'es to rigorously separate between apps (execution, files, etc.), I felt it was safe to assume that localStorage of one app would not be reachable via other apps/browsers. Of course, somebody with physical access could get ahold of the token, but that was not an issue for me (the user himself can now about his/her own token, as I use the token to identify that user). Also, my app did not require an in-app browser, as this browser would probably make use of the same localStorage! Lastly, be sure to build in XSS controls – Michael Mar 01 '15 at 09:36

3 Answers3

6

Well, according to PhoneGap/Cordova security guide it seems that localstorage is not recommend to store sensitive data. So what you can do?

Well, here are two options I think you can use.

1- Encrypt the refresh token and store it encrypted in the localstorage. You can use CryptoJS (a JS library to encrypt/decrypt the data) to encrypt your token using AES (see this example) and it also has an angularjs module

2- You can store your refresh token on the device/phone file system using the Cordova File APIs. For extra level of security you can encrypt the data and store it on the device file system. Note on android you will be limited to AES 128 bit key size but using some third party plugin you can increase it to 256.

Ubaidah
  • 1,054
  • 6
  • 11
  • 5
    Two questions. To 1.: how would I store the "Secret Passphrase" needed for the decryption on the device? To 2.: why is the file system secure, when I could just browse it via file managers (like iFile on iOS)? – Clawish Feb 26 '15 at 18:55
2

Actually Phonegap apps are not really "all native". Only system functionalities (like file access, camera access, etc.) are translated to their Java counter-parts. It still uses a webview and a lot of javascript to implement the application business logic.

So, answering your question, the local storage issue is still a valid concern as it is a feature of the Web View component used by these frameworks (PhoneGap, Cordova, Ionic and the like) to make the UI.

Additionaly, all those requests that carry identification/secret elements (Session ID, Refresh Token, etc.) should be made through HTTPS, preventing malicious observers from knowing their values.

The HttpOnly flag marked in your cookie only prevents the value from being manipulated through JavaScript. Therefore, you should also add the Secure flag to those cookies, to avoid sending them through not encrypted connections.

And Please, if you use encrypted connections, do not make it accept any certificate. Be sure to verify correctly the validness of the cert provided by the server.

Instead of disabling the check or making it return 'true' for any certificate, the secure solution to self-signed certificates is pinning the one you generated or adding the CA used to create your certificate to the list of trusted CA's.

To help you further in your quest for securing your mobile app comunication:

OWASP document explaining Certificate Pinning
Page talking about the pros and cons and providing links and an example
SE question about Certificate Pinning

Edit:
From what i could understand, this is an incorrect behavior created by the framework implementation. Long answer short: "It should be possible, but we screwed things up." I tried developing test apps for phonegap, but found (implementation) errors like this one that made me give up and come back to native Android. That said, i would like you to please upvote my answer back to zero, as it should be right because your application is not native as you said, but unfortunately wasn't able to solve the problem because of phonegap's way of doing things.

Community
  • 1
DarkLighting
  • 1,523
  • 11
  • 16
  • I'm sorry but I think this is an irrelevant answer. I know that I should use HTTPS, that's not what the question is about. The thing is that AFAIK I cannot use cookies, so the HTTPOnly and Secure flags are irrelevant. I have to store it in localstorage. The question is: is localstorage secure enough to store refreshtokens, and if not what should I use. Abu's answer is the best until now and I am gonna try it out before approving it. – Michael Nov 05 '14 at 13:00
  • Michael, as may read again in the answer, phonegap apps are not all native, and if you do some digging, you'll see that local storage is a feature available for browsers. The [WebView used by Phonegap](http://developer.android.com/reference/android/webkit/WebView.html) and other frameworks are nothing but little browser implementations. So, cookies are still a possibility for your problem. – DarkLighting Nov 05 '14 at 13:06
  • If you take a look at the link explaining WebViews, you will find the answer you asked for in the section `Cookie and window management` and you will see that my answer is indeed very relevant for the matter. – DarkLighting Nov 05 '14 at 13:16
  • So you are saying that I can use cookies in my Cordova app? It seems it might be possible on IOS, but not on Android. Please check http://stackoverflow.com/questions/23471256/not-getting-cookies-in-android-phonegap-application and http://stackoverflow.com/questions/15349237/handling-cookies-in-phonegap-cordova and http://community.phonegap.com/nitobi/topics/authentication_session_cookies_in_android – Michael Nov 05 '14 at 13:31
  • Michael, i just read the topics you linked. From what i could understand, this an incorrect behavior created by the framework implementation. Long answer short: "It should be possible, but we screwed things up." I tried developing test apps for phonegap, but found (**implementation**) errors like this one that made me give up and come back to native Android. That said, i would like you to please upvote my answer back to zero, as it should be right because your application is not native as you said, but unfortunately wasn't able to solve the problem because of phonegap's way of doing things. – DarkLighting Nov 05 '14 at 14:25
  • Please edit your answer with this last comment and I will upvote it as it is indeed relevant information. – Michael Nov 05 '14 at 14:54
0

I found some answer that could help here(i am french speaker, just to help) https://stackoverflow.com/questions/36389354/securely-store-access-token-in-cordova

Tchoundjang
  • 1