Since the last relevant (or at least similar) thread concerning encrypting user-data is from May '16, I thought it would make sense to revisit this subject 3 years later (coincidentally, it just so happens that I have a new security requirement!).
The apps my organization builds have an offline mandate, dictating that as much of the app can be accessed offline as possible. To facilitate this, as part of the user’s initial authentication response, along with a long-lasting session token, we pass over user profile information needed for logic/UI and other app “secrets”, such as API keys.
This data needs to be encrypted when stored for offline use, as per my organization’s policy. We had achieved this using Intel’s Security plugin, which required no setup, came from a reputable source, and even was (still) endorsed by Microsoft.
This plugin is now dead. The Github repo has been taken down, so we need an alternative.
Encrypting/Decrypting User Profile Data in 2019?
I already have the decryption key value in my head, and understand that it will be stored as plaintext. This has been OK’d as an acceptable necessity.
That said, I’ve evaluated a few options but have concerns for each:
- WebCrypto – Complex to use, and would require a shim for iOS 10 which we still support.
- Native Plugins – No “big name” contributors, lots of plugins that haven’t been updated in ages or have side-effects that I can’t enforce with my app crowd, such as forcing an Android user to enable a lock screen to use an app.
cryptolibrary, and if not, what is the overhead associated with them?
All three options share the same concern – performance. Since we encrypt API keys, they constantly need to be decrypted within the app. We do not keep API keys decrypted in memory for long, the biggest scope being a local method variable.
I can definitely use some advice, and see if anyone has any opinions/tips/experiences they can share.
- I need to encrypt certain values in my app so they work offline yet still meet our protocols.
- My current encryption plugin is dead. It didn’t require any setup and magically encrypted/decrypted values without needing keys.
- What options exist in 2019 that are performant to continuously encrypt/decrypt from device storage?
– thanks for reading