5

While I'm learning JavaScript and HTML5, I am trying to build a basic quiz app that asks some multi-choice questions that will work on the mobile web, and also as an app using PhoneGap. As questions get asked, the results get stored locally.

I want the PhoneGap version to allow offline mode, so the ability for data to be stored locally is a must. I know there is a local DB offered through PhoneGap - so I guess one option is to do it client/server for Mobile Web and local DB with PhoneGap. However, I'd rather avoid going down that route for now, as that would mean I'd have to manage more variations between the mobile web and PhoneGap versions.

Obviously don't need internet bank level security, but I need the results to be stored locally that aren't able to be easily read, but most importantly manipulated.

I initially tried using HTML5 localstorage, but I quickly realised that at least the way I was doing it, I could visibly see all the results I was storing and through the use of Chrome Developer Tools, could easily just click to change values.

When I go down the path of using encryption (I was reading this StackOverflow post with interest), it appears that for something like this this I always have to define a 'key' somewhere in the code in order to encrypt the data and then use the same key to decrypt it.

Since all of the data is stored client side, it means all I would ever have to do is find this key and run it against the stored data to manipulate results.

Community
  • 1
  • 1
fakeguybrushthreepwood
  • 2,983
  • 7
  • 37
  • 53
  • What threat are you trying to mitigate exactly? Off hand I can't think of anything that this would mitigate other than casual inspection by a non-techie. I'd love to be proven wrong though. – Eric Fleischman Nov 21 '12 at 16:07
  • This exercise is really about me learning how to build HTML5/JS mobile web apps, and not so much about something that I'd put in the app store. I guess I have some vague idea though about eventually allowing scores to be synced online, possibly in a leaderboard fashion against other players. I'd like to still offer an offline option for the game though, hence the reason for offline storage. I understand there is no way somebody would be using the mobile web in an offline scenario, however they could be using the app, and I'd prefer not to build each version fundamentally two different ways. – fakeguybrushthreepwood Nov 22 '12 at 01:09
  • And the fact that people can just go in and change their scores in a browser through editing webstorage doesn't seem like a good strategy. To make it clear - they can view their 'score card' stored in webstorage and manipulate the values. Even if it is using some form of encryption I've found - they could still follow the piece of string and manipulate it. – fakeguybrushthreepwood Nov 22 '12 at 01:10
  • That's correct. It's hard to imagine any scheme that doesn't suffer from this when all of the logic is client side. – Eric Fleischman Nov 22 '12 at 02:28
  • Thanks for your feedback Eric, as a student of HTML5/JS this has been a great learning experience of the limitations of client-side storage! – fakeguybrushthreepwood Nov 22 '12 at 03:39
  • @u2sonderzug, you might be interested in [this](http://code.google.com/p/crypto-js/) – kolossus Nov 24 '12 at 17:16

2 Answers2

1

CryptoJS AES. Thanks to Leigh

var text = "#rawString#";
var key = CryptoJS.enc.Base64.parse("#base64Key#");
var iv  = CryptoJS.enc.Base64.parse("#base64IV#");

console.log("Initial String:: "+text);

var encrypted = CryptoJS.AES.encrypt(text, key, {iv: iv});
console.log("Encrypted String:: "+encrypted.toString());

var decrypted = CryptoJS.AES.decrypt(encrypted, key, {iv: iv});
console.log("Decrypted String:: "+decrypted.toString(CryptoJS.enc.Utf8));

Plnkr Demo Link

Community
  • 1
  • 1
Abhijeet
  • 8,561
  • 5
  • 70
  • 76
-2

Would base64 encoding work? It's built-in to the browser and it looks encrypted. People do this all the time for cookies.

Resources (Mozilla specific):

See this question for more info and links for non-Mozilla browsers: JSON encode/decode base64 encode/decode in JavaScript

Community
  • 1
  • 1
beatgammit
  • 19,817
  • 19
  • 86
  • 129
  • 2
    Thanks for the comment, but just by looking at it couldn't somebody just guess that it is base64 encrypted, and then easily decrypt it? – fakeguybrushthreepwood Nov 21 '12 at 06:52
  • 4
    It keeps honest people honest, and you'd need to base64 encode binary data anyway for localStorage, since it only supports string data. You did say you didn't need bank level security, right? – beatgammit Nov 21 '12 at 06:53
  • base64 is not encryption, it provides zero security. – ZachB Apr 04 '20 at 20:19