Secure Storage with added business layers

I’m currently working on a PWA with some unique offline requirements regarding authentication, storage and syncing. I’m not sure of a way this is possible, but the client is adamant that others have done this.

The requirements are as follows.

  • Users need to be able to authenticate offline.
  • Users should be able to call support for to reset their password via an “unlock code” in the event they forget their password. The support tech tech should be able to query an internal DB for one of several user relevant “unlock codes”
  • A user may configure surrogate accounts to act on behalf of that user (e.g. a surrogate group = main account + all surrogate accounts). All surrogate accounts need to be able to access the main account’s data.
  • It’s possible that a device can store data related to multiple surrogate groups for offline usage
  • Data across all surrogate groups must be synced as a background task at a regular interval (probably 15m)
  • All offline data must be encrypted at rest.

Our primary platform is Android, but we will open it up to iOS in the future.

I simply can’t think of how we’ll be able to achieve all of those requirements without some custom written plugin.
The surrogate group and “unlock code” requirements seems to preclude using a User’s password as the basis for an encryption key.
Syncing the data in the background seems to necessitate an Application level encryption key, which I don’t know how we can implement that securely with a JS based codebase.
So far my quest for similar approaches haven’t turned up anything useful.
Has anyone done something similarly? I don’t mind reading articles, but I haven’t found ones that seem to answer all my questions.

Thanks in advance to anyone that can provide some guidance.

If it is a pwa, then a plugin is not needed

So will it be a native layer on web or pwa?

Next, storing any security stuff locally is not secure if u build it yourself in web on the local device storage for starter… Web or capacitor plugin…

For the rest I leave it to others to comment. Maybe there is a bit of nuance

I would strongly suggest going to whoever is in charge of the purse strings here and begging them to hire a security consultant to assist with this design. The only concrete thing that comes to mind initially is that you may be able to do the “backdoor key” architecture thing using the strategy I first encountered with PGP:

  • encrypt payload with randomly-generated symmetric key
  • encrypt that symmetric key with each recipient’s public key

That way the data at rest doesn’t need to change when “recipients” are added - you just add another encrypted copy of the AES key to a separate block.

All in all, though, what you describe sounds like it will be very tricky, if not outright impossible, to implement securely. I won’t go so far as to say categorically impossible, but hard.

1 Like

Thank you. This “backdoor key” architecture was the missing piece of the puzzle for me.

Is this a PWA or will it be installed natively? If you have the chance to go native you can use device encryption features like Keystore/Keychain.