Secure Storage for token

So I’m dealing with a classical problem here:

The user logs in → the server validates the login and sends back a token that will be used to authenticate the user on future requests to the server.

The problem: how do I store this token securely on the users device?

I’m aware of Ionic Offline Storage, which seems to be perfect for this use case, however we are a small team that doesn’t have the cash flow to be able to afford Enterprise Ionic at the moment.

What are free, open source alternatives that are still maintained?

I wonder if u need to care to store an authentication token securely in the local environment

The server needs to do its share validating the token everytime?

Either way, anything that is stored locally can be retrieved and reverse engineered.

Alternatively, if u use native features, maybe consider the keystore on android and ios?

To rephrase what I think I’m hearing from @Tommertom here, can you outline the specific threat you’re concerned about here? For example:

We’re worried about blackhat getting physical access to a device and impersonating an actual user on our service

This would be a reasonable, albeit rather unusually paranoid, concern, which would be addressed by adding another layer of security. However, and this is a big “however”, in order for it to be meaningful, your user would have to enter a passphrase (at least) every time they open your app, and every time the phone comes out of hibernation. Generally, users aren’t willing to trade that rather significant annoyance for protection in the case their phone gets stolen, especially since if that were to happen, the authentication token on your app is not likely to be top of mind.

We want to make sure that whitehat (authorized user) is not permitted to see the innards of the token we are storing on their device, because it contains some other sort of secret in it

This, on the other hand, would be a no-good, very bad, unreasonable concern that would not be solved by storing the token “securely”. Redesign the system so that it’s OK if authorized users can inspect their tokens.

1 Like