1

When used as containers for so-called "hybrid" web apps, do UIWebView and WebView provide a way for the developer to encrypt, store, and decrypt values in the client app?

For example, could the native code see that a web page being rendered has

<form action = "foo">
<input type="password" autocomplete="on" id="pword" name="pword" />
</form>

and then present a message to the user, asking if the password should be remembered, and if so, save the password securely somewhere on the device, and then when that same page is requested at some later time, auto-fill the form field?

Background: we are contemplating using a third-party framework to write some hybrid mobile apps for the company extranet, and the powers-that-be want these apps to be able to remember users' passwords and autofill them, for various (legacy) web applications already developed and deployed on our extranet, just as a web browser could. My impression is that we could retrofit the logon pages of our legacy web applications to use cookies or localStorage, if we incorporated a javascript encryption library; but it would be much better if we could find a hybrid mobile app framework that has already implemented this sort of password management natively, emulating the browser native on the device. Is a native implementation of password management possible with UIWebView and WebView, so we wouldn't have to retrofit our existing web applications?

Tim
  • 8,669
  • 31
  • 105
  • 183

1 Answers1

3

Even in a hybrid app, best practice is to store the password using the device native security mechanisms (links below). This ensures they are encrypted at the device level.

The secure storage should be handled by native code (via a cordova plug-in or similar mechanism) and passed back into the WebView just for the log-in process.

This avoids rewriting the web application side of things.

Android: Account Manager

iOS Keychain SO answer: Key Chain

I'm assuming you're talking about storing a token in localStorage, which is fine. But for the record, storing raw passwords in the localStorage is a bad idea. Local storage is plain text.

Community
  • 1
  • 1
Alex Miller
  • 151
  • 6
  • Do you mean that my program (written in javascript under Cordova) should check the kind of platform (IOS or Android) and use the appropriate plugin to store the password? I think that this is not so elegant! Is there a plugin with a unified API that does this automatically? – AhmadWabbi Apr 12 '16 at 09:48
  • @A.Wabbi it should be wrapped as a plugin. The important thing is store it on the device's secure storage. Ideally the plugin api would be the same for all platforms. For security you shouldn't store passwords in JavaScript land. Plugins vary by device and OS version. The principal matters the particular plugin does not and will change as each OS evolves. – Alex Miller Apr 15 '16 at 06:57
  • @AhmadWabbi How did you achieve it? – harsh Nov 08 '19 at 15:36