I created a Phonegap/Cordova based Android app which uses cookies, e.g. for session authentication/automatic sign in. During a security review the concerns were raised that if an attacker could get hold of the phone, he could read out the cookies and hijack the users's session.
Is there a way to programmatically encrypt the device's storage or prevent access to the cookies using Android OS 4.0 and up? I would prefer (but not insist on) a solution that is easily integrated with Phonegap/Cordova.
Security-wise this is absolutely a non-issue, because an attacker would need to obtain an unlocked device, in order to hijack an ongoing session. Therefore the idea to encrypt session cookies is pretty absurd - besides the cookies will be set automatically, without the least possibility to hook into there.
And even if one could encrypt them, when an unlocked device with an ongoing session can be obtained, this would not prevent anything at all. This concept is flawed and not well thought of.
The most simple solution to the problem: If not wanting to let the WebView
save session cookies to internal storage, simply don't use the WebView
to obtain them - then it obviously won't save them.
And I'd first would like to see proof of concept to get around the encryption on a locked device. When having a rooted device with debug-bridge enabled and screen-lock disabled, which would provide an attack vector, the security problem is a whole other than the WebView
default cookie storage facility.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With