Secure Application development without Secure Storage


#1

Hi,

I just implemented the Secure storage to find out that the secure storage would throw an exception if the device itself was not secured with a passcode or pattern.

Even Sqlite seems to have issues with android and at this time I am not sure how anyone is creating a secure application without the need for re-authentication if the only available option is local storage.

Isn’t this a critical issue and I was wondering how others have worked around this or if they have used something else to implement secure data storage on Ionic as the information on that is really sparse across the web, the forums or the docs

Thanks!


#2

-> I just implemented the Secure storage to find out that the secure storage would throw an exception if the device itself was not secured with a passcode or pattern.

How did you implement secure storage?

Did you use: https://ionicframework.com/docs/native/secure-storage/


#3

Hi Robinyo,

Yes. I used Secure Storage from the link you’ve provided above.

I have read about the security code/pattern requirements it really seems to me to be a big problem for such an elegant solution.


#4

Does anybody have a take on this? This is kind of very important is it not?

How are people building secure apps on Ionic without any form of storage that is not secure?


#5

There’s no such thing as a secure web app. I’m not quite sure what you want here.


#6

Hi Aaron,

my question was if secure storage does not work when the security settings are not set on Android then what alternatives do we have to securely store data for purposes of actions like re-authentication? I currently use tokens for authentication but I require the username and password for other actions as well and secure storage seemed to have been the perfect solution but for this problem.

Are there any other secure storage alternatives that anyone here has used for their apps?


#7

I have built security myself with encryption

So store the data using sqlite and encrypt at application layer using the users password etc

So u only need to care about the pwd