Ionic Secure Storage

The recommended ionic cordova plugin for secure storage is no longer being maintained. Is there an equivalent plugins we can use in its place. Will @ionic-native/secure-storage still work with other secure storage options?


Ionic Offline Storage might be a solution. There is a demo on 9/25: bit.ly/2kQ2bKU

Does this solution support the browser platform?

…a new solution that makes it easy to store, access, and manage data online and offline, across mobile and desktop, …

I think maybe it does. But if it’s on web I don’t see how is not sending that data somewhere to be encrypted because there’s no way to keep data secure on the web without encrypting on the web server.

I think there is, but it does require asking for an external secret (such as a password on app startup).

How would you prevent other people from seeing the encryption on the browser? All browsers let’s you see the source and there’s no way to hide that code.

Thanks!

Esteban Morales

If by “the encryption”, you mean the algorithm being used, I wouldn’t care. AES works even when blackhat knows you’re using AES. The encryption key is the important thing to hide, which leads us to:

The key wouldn’t be in the source of the app. I would require the user to supply a secret (such as a password) every time the app is launched, and use a KDF like scrypt to turn that into an encryption key suitable for use with a symmetric algorithm such as AES.

Neither the password nor the derived key would be stored anywhere. Otherwise, there wouldn’t be any point in encrypting storage in the first place.

1 Like

This topic is also important to me. I am currently using secure storage to locally save “rewards” the user has to be able to use some features of my app for some time. It works because it doesn’t depend on server connection (my app doesn’t use a server).

Ionic Offline Storage might be a solution. There is a demo on 9/25: bit.ly/2kQ2bKU

Probably this isn’t for someone like me, a single developer without a company that doesn’t make more than 40 dollars pro year with their app.

If you’re baking the encryption key into the source of your app,

Our project doesn’t require the storage to be secure, I am just saving some flags and some basic stuff like that.

In that case, I would suggest simply using Ionic Storage.

Oh, no I was wrong, we are using Ionic Storage for those needs. But there is some stuff that needs to be secure. We just don’t use that on the web browser version.

So now I’m confused about what you’re asking for.

IMHO, the only time it makes sense to encrypt anything in on-device storage is when:

  • your specific threat concern is “blackhat steals device”
  • you are willing to make users enter a secret (such as a password) every time the app is launched

(NB: “device” here is used in the broad sense of “whatever is running the app”, so it would cover a PC running in a browser, where stuff is stored to IndexedDB for example)

If you are trying to store something on a user’s device that (a) you don’t want the user to be able to access, but (b) your app running on that user’s device must be able to access (which is what I fear that @distante is doing), forget it. That is impossible, and any encryption employed serves only to needlessly complicate development, providing only an illusion of security.

If you’re still here, and your use case still matches what I’m talking about, then I suspect that one reason Cordova secure storage got EOLed is that as of today, WebCrypto is usable in major browsers. I mentioned scrypt earlier in this thread as my preferred KDF (there are others). If you have no particular symmetric algorithm preference for the actual encryption, I would recommend AES-GCM. The source for that live browser compatibility table has example code.

We are using the secure storage on iOS and Android. The secure storage plugin was saving data to the iOS Keystore. For android it was doing the following:

On Android there does not exist an equivalent of the iOS KeyChain. The SecureStorage API is implemented as follows:

  • A random 256-bit AES key is generated.
  • The AES key encrypts the value.
  • The AES key is encrypted with a device-generated RSA (RSA/ECB/PKCS1Padding) from the Android KeyStore.
  • The combination of the encrypted AES key and value are stored in SharedPreferences .

The inverse process is followed on get .
Native AES is used.

The Keychain plugin has not been updated since 2018 and I don’t see anything like that for android. So is Ionic going to drop support for this kind of storage?

You can try looking for a fork in here. This one looks to be relatively actively maintained, in that it had an npm release within the last month.

That make sense. I am using the device ID to get the key. Each item has a live of a day and then is deleted.

I suposse I have to change to something server base. I didn’t wanted to force the user to have always connection.