How to implement high data encryption using ionic framework


#1

Hi,

My mobile app stores forms for offline usage. Once online, data is synchronised to back end database.

Using Ionic 2 framework, I would like to know how to implement high data encryption in case the mobile device has been stolen.

Thanks.

Regards,
Wilson


#2

I assume you mean strong cryptography to secure stored data in the device.

There are some js crypto libraries: JavaScript Crypto Libraries

The key problem you have to overcome is how to store the key to unlock the rest. (look at the preferences link at the bottom)

If you want to securely transmit data to the server, do not use JS to encrypt it, use SSL/TLS (https) instead. Attempting to Implement JS-only TLS and other JS encryption schemes to transmit “securely” is fatally flawed by the very nature of JS, and will probably take more effort to implement than to just rely on https anyway. The cost of obtaining a good server SSL certificate just got negated anyway, look up Let’s Encrypt

Remember one of the cardinal rules of cryptography, never cook your own encryption. Even the experts who live and breathe this get it wrong sometimes, crypto is non-trivial, and the pitfalls are deep, painful and plentiful.

All that said, I’d have loved for ionic-native libraries to have had some form of interface/plug-in to the native storage. IIRC both iOS and Android have secure storage options that only the app itself can access. There is a Cordova plugin for it, but I haven’t tested it. Yet. (Application preferences Cordova plugin, supporting iOS, Android, WP, Blackberry and Browser. It doesn’t appear to use iOS’s KeyChain for storage though.)


#3

I agree with the general thrust of your comment, but just wanted to point out that this particular concern has gotten somewhat better than it used to be with the WebCrypto APIs, in that you can generate keys that cannot be exported to JavaScript, yet still used.

To OP: one stack that I have used for purposes like this is AES in Galois/Counter Mode with scrypt to derive a key from a user-supplied password.


#4

+1 to WebCrypto API. I use it without problems.