securely store user password locally in a jquery mobile app

Question

I need to access an api which requires http authentification on a per user basis using a jquery mobile api.

I plan to make the app available as a website as well as packaging it in Cordova for various devices.

If I have a login form which captures the username and password and store this as a javascript variable, is there any way this data could be exposed?

If so, what's the best alternative to handle storing the users authentification details? I am reticent to build an intermediary server if I don't have to.

Many Thanks. :D

Answer 1

I would suggest not storing the username or password in the localStorage, but instead to store an access token. Access tokens can be updated and changed frequently, it also doesn't reveal who the user is or what their hashed password is.

Besides iOS Keychain or if you're coding it for a non-iPhone device for added security you can:

• Change the access token at each login and each time the app is used
• Store the device ID in the server database (see http://docs.phonegap.com/en/2.2.0/cordova_device_device.md.html#device.uuid)
• Clear the localStorage and request a new login if the access token or device ID doesn't match the data stored in the database

Make sure you don't store the device ID in the localStorage.

For added security you can also store the user's IP address in the database and check (server side) if the IP address matches, but this might too much since the user would have to login every time they connect to the internet in a new location or if their IP address changes.

Storing the IP address in the server database then checking if it matches (server side) would probably be the safest since it wouldn't matter if someone got hold of the localStorage data.

Answer 2

So I understand you don't control the backend you log in to? If you do, I would be more inclined to send username/password once, and then store some access token that will allow you subsequent access.

If you don't control the backend, you're stuck with storing username/password. I would say, setting them in localStorage is as safe as it gets (which is, admittedly, not very safe. Then again, if your login doesn't happen on HTTPS, I would be more worried about passwords leaking there than from the device itself). You could make the passwords harder to find, not call the variables "username/password", encrypt them in javascript, obfuscate your code. But in the end, they can always be retrieved without too much effort with the right access to the device.

After packaging as native app, you have more options, e.g. iOS keychain: http://shazronatadobe.wordpress.com/2010/11/06/ios-keychain-plugin-for-phonegap/