Security considerations on Ionic

Foxandxss · November 11, 2014, 5:24pm

I am new to mobile development and much more new on hybrid apps and I have a doubt.

On client side web (angular for example) we are told that the client is not secure, anyone can change the code, etc etc.

What about Ionic in that regard?

I want to create an application (local, not communicating with any server) where I need a private state. What I thought is having a local login (more than login, just prompt a password if it is correct, let you in) and if you give correct credentials, you get it.

Since it is local, built-in into the application I have that question: Is that secure? I guess I can have my password inside the sandbox (sql, json but hashed…) but I am not sure if that is any secure. Yes, a root user can access the sandbox and read your stuff, but for that you need physical access to the phone.

I am not talking about top-notch security, just a way to hide some notes / photos / videos from anyone holding your phone (you need to input a password).

I am more concerned about being able to debug the app (chrome tools), remove some code / markup and getting in, but still, you need someone physically doing that and I think that production packages are not visible from remote debugging.

TL;DR Can you have some basic security, AKA private states in a local way? Just preventing wrong hands to see your stuff. If so, you like my idea or you have something better?

nicraboy · November 12, 2014, 2:34am

Hi @Foxandxss,

Any client side app can and probably will get decompiled if someone wants to enough. Doesn’t matter if it is Ionic, native Android, ect.

If you want to truly protect data you can implement AES encryption and decrypt with a password every time it needs to be accessed. This would mean the user types a password on every use and it gets cleared on close.

See the following post I did on AES. It is completely compatible with Ionic Framework:

Slim chance someone is going to get your users data if its encrypted with AES. If someone modifies your source, they will still need a password.

Regards,

ericciaparicio · November 27, 2017, 4:25pm

Hi @nicraboy.

I am developing an Ionic App that consume WebServices developed in Slim Framework. It’s working perfect but without security.

To apply security, my idea was:

I have a Login Page. If the username and password are correct, I generate a token JWT and I add in local storage. Later, when should to access to another API method I send the token in the Authorization Header. It’s working but it’snt sure because the token is visible.

Do you think that AES can help me?

Regards
Emiliano

Topic		Replies	Views
Ionic App and Security Ionic Framework	5	698	July 19, 2021
Ionic + oAuth. Secure enough? ionic-v1	8	5751	March 17, 2016
How to encryption password in ionic? ionic-v1	1	1538	April 28, 2016
Make ionic app secure Ionic Native	4	704	July 19, 2021
How to protect localstorage and websql data in cordova - ionic application ionic-v1	2	2281	June 20, 2015

Security considerations on Ionic

Related topics