Ionic storage + Cordova-sqlcipher-adapter

Hi, I am looking to store safe my data with @ionic/storage.

My current setup is @ionic/storage and cordova-sqlite-storage plugin

On my app.module I have this config:

IonicStorageModule.forRoot({
name: ‘myName’,
driverOrder: [‘sqlite’, ‘localstorage’, ‘indexeddb’, ‘websql’],
dbKey: ‘myKey’
}),

To store ciphered data is needed to install Cordova-sqlcipher-adapter plugin? Or I have to install only:

@ionic/storage + Cordova-sqlcipher-adapter plugin ?

thanks

  • What data is being stored?
  • Who are you trying to protect it from?
  • How are you planning to do encryption key management?
  • What data is being stored?

User data, like address, user id, phone number…

  • Who are you trying to protect it from?

In the same way like cordova sqlite Plugin key param at the db creation method. ¿No?

  • How are you planning to do encryption key management?

Not sure about the best way to safe store the encription key.

Could you help me?

Joe is the owner of the device your app is running on. Are we talking about Joe’s personal data here, or the personal data of somebody that is not Joe?

My question was “who are you trying to protect the data from?”. I find it helpful to think in terms of threat stories here. Describe the situation you are concerned about. Is Joe’s device stolen? Can we rely on the device having a lock code? Are we worried about the situation where the device is locked? Unlocked, but not-Joe-blackhat has access?

This depends on the answers to the above questions. You might want to look into cordova nativestorage plugin which uses OS mechanisms to effectively do that. If you decide you don’t want to go that route, I would look at KDFs like scrypt.

WHATEVER YOU DO, DO NOT HARDCODE ENCRYPTION KEYS INTO YOUR APP BINARY.

Joe is the owner of the device your app is running on. Are we talking about Joe’s personal data here, or the personal data of somebody that is not Joe?

Personal data of Joe. Owner of the phone wich is running the app.

My question was “who are you trying to protect the data from?”. I find it helpful to think in terms of threat stories here. Describe the situation you are concerned about. Is Joe’s device stolen? Can we rely on the device having a lock code? Are we worried about the situation where the device is locked? Unlocked, but not-Joe-blackhat has access?

I am not sure about methods of stole the information but a minimum security. The info has to be secured although the device unlocked. I chose sqlite plugin because it not depends on device lock code. For example, secure storage library depends on lock code has activated. Sqlite cordova plugin no. Only has to define an encryption key at the moment of db creation.

The problem of sqlite is that the developer has to manage sqlite queries to store the info. With ionic storage only has to manage key-value to store the info.

Then the encryption key would be a good practice to obtain it into the successful login response ?

I think that’s a mistake, because you’re throwing away all the effort that many dedicated professionals have spent implementing and integrating the device lock code concept.

However, if that’s your position,

Yes, that’s the point of KDFs. They turn user-entered passwords into keys suitable for encryption use. If the user forgets the password, there is no backdoor.

going back to my initial question.

To use SQLCipher with @ionic/storage wich is the correct setup?:

@ionic/storage + cordova sqlite plugin + dbKey param on db startup/open

or

@ionic/storage + Cordova-sqlcipher-adapter + dbKey param on db startup/open

or

@ionic/storage + cordova sqlite plugin + Cordova-sqlcipher-adapter + dbKey param on db startup/open

Thanks