My setup:
User logs in, credentials are sent to the API and verified, a JWT token and refresh token are passed back. These both need to be stored somewhere. Of course I could use localstorage but I have read how insecure. So what other options do I have?
I would recommend using Ionic Storage, which will use SQLite underneath on device and IndexedDB in browsers. As for security, what is your threat concern? If the app needs to be automatically able to retrieve the JWT and pass it to a server, then all the information needed to get the JWT is present on the device. So if blackhat has physical access to the unlocked device, they have the JWT, regardless of how it is stored.
If you’re willing to inconvenience your users by requiring them to key in a passphrase every time they use the app, you could encrypt the JWT using a KDF like scrypt.
Thats what I’m using right now so I guess I’ll leave it. Thanks