Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How secure is storing data with localStorage?

My app requires login, and I have a Remember username and password ability. The username and password is then stored with

localStorage.setItem('username', username);

How secure is this way of storing the username and password? What I'm worried about, specially on Android, is if other apps have access to the data and can fetch the login info.

The app is for iOs and Android, and I'm using PhoneGap 2.9.

like image 283
Publicus Avatar asked Aug 09 '13 10:08

Publicus


2 Answers

LocalStorage is under normal circumstances only accessible by your app. It is as secure as the sandbox on the specific platform (iOS, Android) is able to protect your app's data from being read by other apps.

Sometimes that sandbox is not as strong as you might expect, e.g. in these cases:

  • the device is rooted or jailbroken
  • the manufacturer failed to provide security updates or the user just didn't update
  • the attacker has physical access to the device for example if it is stolen.

If the attacker has access to the cleartext password and username, they could try them also for other accounts (not just your service). So if the user of your app used the same password for multiple services, the attacker could gain access to them as well.

What about storing a password hash?

For server side applications this is a great idea, because they run in a protected environment (datacenters with access control, system engineers taking care of security updates).

A phone, on the other hand, is stolen easily, and users often don't or can't install security updates.

If the hash is not salted it is very easy to get the cleartext password using rainbow tables if you got the hash. If the hash is salted it is very easy to get the cleartext password for simple passwords. Also, it's very easy to generate insecure password hashes.

Solution: store randomly generated access tokens: no matter how simple or complex the password is, it's just impossible to get the clear text password by looking at the token.

TL;DR

If you're using the credentials for authentication against some kind of API service, you should not store the password and username locally, even in a secure store such as the iOS keychain.

What you should do instead is storing only a randomly generated token (NOT a password hash!) you get from that API (similar to the concept of storing the Session ID in a cookie rather than the user/pass combination). One possibility would be to use OAuth.

That way you make sure the real credentials can never be leaked, even when the sandbox fails to protect the data or the phone is stolen.

like image 112
stefreak Avatar answered Sep 18 '22 06:09

stefreak


Each application uses it's own webview in PhoneGap, the localStorage will be accessible in that webview only.

EDIT: I would still think about hashing the password.

like image 37
Frederik Voordeckers Avatar answered Sep 20 '22 06:09

Frederik Voordeckers