0

I've been tasked with developing methods of securing our mobile applications. Recently we have rolled out a few apps that run in disconnected mode. They are built using html5 and angularjs then packaged using corvoda. Now its been requested that we be able to run apps in disconnected mode while storing customer information.... I think this is a terrible idea. I have my own ideas about how to do this but theres so many variables to consider I want to make sure I look at this from every angle possible. In any case, Has anyone had any experience with this or have any knowledge they can impart in order to set me down the right path?

Nathan Thomas
  • 41
  • 7
  • What sort of attacks do you want to protect against? 3rd party reads from cookies or localstorage or something? – Halcyon Jun 15 '15 at 14:19
  • what is disconnected mode? – jcesarmobile Jun 15 '15 at 14:22
  • @jcesarmobile : disconnected mode is just slang meaning that the device does not have a data connection. That means it doesn't have access to a server and needs to store things locally. – Nathan Thomas Jun 15 '15 at 15:15
  • @Halcyon yes I need to protect local storage. Which I can encrypt the local database with AES encryption, the problem is what to do with the key to encrypt/decrypt the database since it needs to be stored locally as well – Nathan Thomas Jun 15 '15 at 15:15
  • Look for _localstorage security_. http://stackoverflow.com/a/17280490/722762 You're probably safest storing the data on the server and keeping a token in the localstorage. Do you actually need the customer information for anything (other than 'because my boss said so')? – Halcyon Jun 15 '15 at 15:21
  • @Halcyon thank you for sharing that. I find it interesting that the question was asked over 3 years ago and its still a basically unsolved issue. One would think that some kind of "set of best practices" would exist to at least harden an application to some reasonable extent. – Nathan Thomas Jun 15 '15 at 15:35
  • For iOs you have the keychain plugin, it's supposed to be safe to store things there – jcesarmobile Jun 15 '15 at 16:08
  • @Halcyon Basically we need to be able to store customer information in the app until it can sync with the server and upload information. Also a form may be partially filled out and then completed later. The device could be in areas where it does not have service or any kind of data connection for several hours (or the whole day). Some information may fall under Hipaa and some may be personal financial information.... so it cannot be left unsecured for any amount of time. – Nathan Thomas Jun 15 '15 at 16:48
  • @jcesarmobile I'll try to find the article again but someone wrote about the keyring security for both IOS and Android.... evidently it isn't as secure as they would like us to believe..... – Nathan Thomas Jun 15 '15 at 16:49
  • So, you can't store anything because you won't find anything secure enough. – jcesarmobile Jun 15 '15 at 18:55

0 Answers0