Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Securely store access token in Cordova

Tags:

Edit: see my answer for the solution

Currently working on a Hybrid App with Ionic where there is a requirement to store an authentication Token in order to keep the user logged in, and also guarantee that this data cannot be accessed outside the App context.

There is of course plenty of solutions for this task, each one with different pros-and-cons so it's confusing (for me) to locate the one technology that fits.

I've been looking at angular-localForage and other candidates:

LocalStorage

  • Obvious choice for small data.
  • Data gets wiped in iOS when the system is low on memory.

IndexedDB

  • Buggy support in iOS (IndexedDB support)

WebSQL (SQLite)

  • Apparently a good option for small data and decent support (WebSQL suppport) but it's deprecated.

SQLite

  • There are related issues with Cordova in iOS.

LokiJS

  • Looks like an overkill for this scenario but is definitely a strong candidate. Is the any security concerns I should be aware of (as I read it locally persist data to JSON files)?

PouchDB + SQLite

  • Well, it's a JS client to work with CouchDB or Couchbase databases wich can also work with SQLite but again I only need to store a Token..

So apparently the best option for Android/iOS cross-compatibility should ironically be WebSQL, but is no longer being developed and I have to guarantee long-term support.

So my question is: are there any other options I'm missing to securely store an access Token? If don't, wich of the above ones should be the best choice for this task?

like image 314
TMichel Avatar asked Apr 03 '16 18:04

TMichel

People also ask

How do I store access token securely?

Most guidelines, while advising against storing access tokens in the session or local storage, recommend the use of session cookies. However, we can use session cookies only with the domain that sets the cookie. Another popular suggestion is to store access tokens in the browser's memory.

Where should authentication tokens be stored?

# Tokens stored in localStorage are automatically protected from CSRF attacks, because localStorage items are not automatically sent to servers with each HTTP request. But they are vulnerable to XSS attacks, where they can be easily accessed by JavaScript.

Should you store access token?

There is no need to store it. You can validate it and get the data from it that you required. If your app needs to call APIs on behalf of the user, access tokens and (optionally) refresh tokens are needed. These can be stored server-side or in a session cookie.

1 Answers

After doing some research I will share my conclusion.

Funny enough, none of the above candidates are suitable for securely storing an access Token. The approach should be using a native solution for both Android (Shared Preferences) and iOS (Keychain).

In the particular case of Ionic, a broadcaster plugin for Cordova could be used to communicate JS with Native so you can access the stored data.

like image 160
TMichel Avatar answered Sep 28 '22 03:09

TMichel
Sign in to Comment

Related questions

startActivty in a different thread
How to read entire line (string) using fscanf?
Regex for express router url to match path starting with /public/
Jenkins Failed to Connect to Repository
Possible to prevent XCode from envoking debugger after calling `XCUIApplication().terminate()`
Random extra space at end of horizontally scrollable table
combineReducers destroys Redux state and also breaks multi ImmutableJs reducers
Kurento endpoints order in order to record screencast
PHP ceil() and floor() returning float?
Maven Command Line Args in the settings.xml
Why can't I set the Resolution field in JIRA?
How to use editdist3 in sqlite

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!