2

if you write data to local storage with javascript on Android like this:

localStorage.data = "test";

Can this data be access and viewed in some way? I have some important data to save like user personal information and I would not like for anybody to see this data (even if they put some effort in this). Solutions?

Tiago Sippert
  • 1,324
  • 7
  • 24
  • 33
gorgi93
  • 2,457
  • 8
  • 30
  • 53
  • 1
    Your question is a bit vague: do you want to preotect the user's data from access by others or do you want to hide it from the user itself? – Christoph Aug 23 '12 at 08:44
  • 1
    This might be a duplicate : http://stackoverflow.com/questions/3718349/html5-localstorage-security – Denys Séguret Aug 23 '12 at 08:45

2 Answers2

2

There aren't protected at all if you have access to the browser.

Anybody connecting to your site from the user's browser can simply type console.log(localStorage) in the developer's tools (use Ctrl-uppercase-i on most browsers) to see it in clear.

A solution might be to encrypt the data using a server provided key, but this wouldn't be so secure : it's easy (for example using an extension) to change the executed javascript once you get access to the browser (and you have the user to come back to the site). I'd suggest to store on the server those data.

Denys Séguret
  • 372,613
  • 87
  • 782
  • 758
  • ah, you read it that they want to hide the users' own data from the user... I think that might have been what they were asking actually. – joevallender Aug 23 '12 at 08:43
  • I think it's more the technical view and not someone capturing the phone. And besides: i didn't see a console in mobile browsers so far;) – Christoph Aug 23 '12 at 08:43
  • @joevallender I didn't even read it your way. But now I think you might be right. We'll see from OP's comment, both answers are complementary (I was about to add things about the cross-domain protection). – Denys Séguret Aug 23 '12 at 08:43
2

I assume you are talking about a technical exploit rather than someone physically getting hold of the actual device?

If so, it is my understanding that only code on the domain from which the data was saved can access it. So you'd potentially be vulnerable is someone managed a XSS attack or you incorrectly included someone else's script.

joevallender
  • 4,293
  • 3
  • 27
  • 35
  • Im not concerned with XSS because app doesnt allow data insertion. Im talking about physically getting hold of the actual device and physically getting data? – gorgi93 Aug 23 '12 at 08:45
  • Then please refer to dystroy's comment. Anyone with the device can easily access the data. – joevallender Aug 23 '12 at 08:47