1

I am going to build a PIN lock on Phonegap, trying to understand the security layer. As Phonegap is just a webview, it can be easily altered, if you are connected to a device.

I believe that you can also decompile the Java as simple as the HTML5 from Phonegap. So would it makes a difference if I put a screen lock on the HTML5 layer or the Java layer?

I am trying to figure out if I can do anything else to make the pinlock more meaningful, instead of simply just remove the layer. I am also already obfuscating the JavaScript.

But it still means that if you obtain another phone that has the app, you can unroot it, and de-obfuscate the JavaScript then unlock it?

So if Java is just as easy to alter as HTML5 after rooted, then it makes no difference if I just build a JavaScript screen lock?

Vilican
  • 2,703
  • 8
  • 21
  • 35
clark
  • 99
  • 5
  • You have to secure the data in a way that it can only be decrypted/received correctly if the correct PIN has been entered. Either encrypt the data with a key derived from the PIN, or, if the data is requested from the server, check the PIN on the server. You should not store the PIN on the client. Be advised that a short numeric PIN can still be attacked easily with brute force. – Alexander Jul 17 '15 at 09:50
  • But if the Java/Html5 can be easily altered from decompiling, is there much point? Because the person can view the whole source code anyway, and if a session ID is still active on the app, can theoretically decompile it, alter the Javascript, and repackage it and run it? – clark Jul 17 '15 at 15:45

1 Answers1

0

Once the attacker has physical access to the device, it's game-over as far as software solutions go. You may be thinking that a Java-enforced PIN code is hard to break, but even a C or ASM enforced PIN code can be broken given enough time and effort.

What you need to do is to put whatever secret you're trying to protect either on a remote server (where you can implement bruteforce protections) or behind strong encryption (but a 4-digit PIN is a piece of cake to break even with good key derivation functions so make sure to use a strong password).

Anonymous
  • 85
  • 2
  • ok, thanks, yer all my secret stuff is already on a server, i was trying to think if its worth while to spend more time on a more secure pin lock, i have a remote wipe already,if that increase the security a tiny bit more, so the session token is wiped as well. – clark Jul 18 '15 at 03:19