Local storage protection in phonegap application

Question

I should develop an phonegap application. I need to encrypt my requests to the server side and then decrypt. HTTPS is not a solution, because I need to sign requests to be sure that the data is not fake. I can use any async cryptography (the app will generate private/public keys and will send public key to the server). But this way I need to keep my private key on the device.

The question is: how I can keep private key on the device securely?

I can use sqlclipher (to encrypt my local SQLite DB) and integrate it into my phonegap app. Great, but here I have to keep secret key for database :)

var db = window.sqlitePlugin.openDatabase({name: "DB", key: "secret1"});

Any one who have access to the phone can get this secret key. So here I have the same issue:)

Please, give me any suggestions.

Thanks!

p.s. app for iOS and Android

Answer 1

You have to differentiate between encryption and authentication.

First, I suggest to use https to encrypt your messages and transfer them securely.

Second, I suggest to use HMAC for authentication of your messages. It basically works like this:

• Generate a secret string known to your app and the server at compile time. You store this secret directly in the source code of your app so it is never transmitted to or from the server. This might be the main difference to your private/public key approach: You compile the secret right into your app instead of writing it later in some user accessible storage. "Right into your app" means in the case of Phonegap NOT in your HTML/JS files but in the native source code! You have to bridge the accessor to javascript if necessary.

• Set a user id (=key; long, random!) in your app when the user starts your app for the first time. If you want to authenticate your users, you probably have some kind of login/password mechanism. (Store the user id as well as an HMAC generated from the user id and the shared secret on the device. Every time you read the user id, check it against the hash to be sure that the user id was not spoofed.)

In your App

1. Include a user id in every message.
2. Include a timestamp in every message.
3. Calculate the HMAC hash from a string put together from the message, the server address, the request URI, and the shared secret.
4. Include the hash value in your request header.

On the server side

1. Check if the timestamp is valid, e. g. not older than 2 minutes or so. This prevents replay attacks (at least after 2 minutes).
2. Check in your database if the user id is valid.
3. Calculate the HMAC hash from a string put together from the message, the server address, the request URI, and the shared secret. Including the request URI prevents people to send the same valid request to another URI on your server; e. g. in REST environments it is a big difference if you send the same DELETE request to /comment/1 or /user/1.
4. Compare it to the hash value submitted in your header, they have to be equal.
5. If any check fails, send an error. Otherwise send the response.

There is a chance of getting the shared secret and information about the way how you calculate the HMAC hash by decompiling your source code. I see no way to avoid this risk. ...without diving deeper into native development:

iOS Keychain

https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/iPhoneTasks/iPhoneTasks.html

Android security features

http://developer.android.com/training/articles/security-tips.html

Answer 2

By default, PhoneGap does not provide the feature of encryption on its own. Devices based on iOs and Android(above Gingerbread version) support full-disk encryption. But this is not available to PhoneGap/Cordova developers.

From the wiki:

PhoneGap is generally limited to the security features of the platform on which it is running.

Refer to https://github.com/phonegap/phonegap/wiki/Platform-Security

For some JS based solution, give a try at http://code.google.com/p/crypto-js/