Secure login within Phonegap

Question

I'm creating a Phonegap application which needs to allow a user to log into our Central Authentication Service.

My concern is that, since the files on the Phone are being loaded locally (via file://), there isn't security like there would be over an HTTPS connection. If I pass the username and password to an HTTPS location on our server, the request would not be secured even though the response would be.

I do not want to use a ChildBrowser plugin for the login because there doesn't appear to be any kind of event bubbling that would tell me when the login process has finished, and because not all platforms support the ChildBrowser plugin.

It looked as though it might be reasonable to use asymmetric encryption to encrypt the username/password combination with a public key and decrypt it on the server with a private key. I can't seem to get any javascript RSA libraries to play nice with Java on the backend, though.

Does asymmetric encryption seem decent for this case of protecting a user's password in a Phonegap application? Is there a better solution?

How would one get this working with Javascript -> Java? I've been using the ohdave.com/RSA scripts on the client side, but Java doesn't want to recreate a key using ohdave's generated keys.

Any help is appreciated.

Answer 1

I have since learned that requesting the authentication webservice via HTTPS will initiate a handshake that will allow the credentials to be encrypted with the SSL certificate.

As far as storing the credentials on the phone, here's how I'm doing it:

1. Send credentials to login webservice over SSL with Base64 encoding in an Basic Authorization header.
2. Successful login response includes credentials AES encrypted with a key that lives on the server.
3. AES Encrypted credentials are stored on the phone.
4. Future logins are handled by sending the encrypted credentials to the login webservice over SSL in a Digest Authorization header.