Securely store access token in Cordova

Question

Edit: see my answer for the solution

Currently working on a Hybrid App with Ionic where there is a requirement to store an authentication Token in order to keep the user logged in, and also guarantee that this data cannot be accessed outside the App context.

There is of course plenty of solutions for this task, each one with different pros-and-cons so it's confusing (for me) to locate the one technology that fits.

I've been looking at angular-localForage and other candidates:

LocalStorage

Obvious choice for small data.
Data gets wiped in iOS when the system is low on memory.

IndexedDB

Buggy support in iOS (IndexedDB support)

WebSQL (SQLite)

Apparently a good option for small data and decent support (WebSQL suppport) but it's deprecated.

SQLite

There are related issues with Cordova in iOS.

LokiJS

Looks like an overkill for this scenario but is definitely a strong candidate. Is the any security concerns I should be aware of (as I read it locally persist data to JSON files)?

PouchDB + SQLite

Well, it's a JS client to work with CouchDB or Couchbase databases wich can also work with SQLite but again I only need to store a Token..

So apparently the best option for Android/iOS cross-compatibility should ironically be WebSQL, but is no longer being developed and I have to guarantee long-term support.

So my question is: are there any other options I'm missing to securely store an access Token? If don't, wich of the above ones should be the best choice for this task?

I know this has been answered but LokiJS has a cryptoFsAdapter that store s the JSON encrypted. — Joe Minichino, Apr 10 '16 at 17:59

score 7 · Accepted Answer · answered Apr 07 '16 at 15:24

7

After doing some research I will share my conclusion.

Funny enough, none of the above candidates are suitable for securely storing an access Token. The approach should be using a native solution for both Android (Shared Preferences) and iOS (Keychain).

In the particular case of Ionic, a broadcaster plugin for Cordova could be used to communicate JS with Native so you can access the stored data.

answered Apr 07 '16 at 15:24

TMichel

4,336
9
44
67

4

Thanks, this post doesn't have the attention it needs. Would be great if you could explain a little bit more on how to save and retrieve data from the Android (Shared Preferences) and iOS (Keychain). I can't find good guides! – mesqueeb Aug 04 '17 at 05:56
to answer WHY NOT SECURE - https://stackoverflow.com/questions/18144414/how-secure-is-storing-data-with-localstorage – srghma Oct 13 '20 at 18:58
to answer WHAT TO USE INSTEAD (didnt check) - https://github.com/pradeep1991singh/cordova-plugin-secure-key-store – srghma Oct 13 '20 at 19:00
https://ionicframework.com/docs/native/secure-storage – srghma Oct 15 '20 at 12:19

score 1 · Answer 2 · answered Dec 28 '20 at 20:50

1

The only secure way is using "httponly cookie". However, since april 2020 Apple uses wkwebview which has cookie problem.

answered Dec 28 '20 at 20:50

Akin Zeman

447
7
9

score 0 · Answer 3 · answered Apr 04 '16 at 03:10

0

SQLite is the best option to go with as the content of DB will be encrypted and saved. Also native apps rely on SQLite to save data. To make CRUD easier with SQLite, I have created a wrapper library. Please check it here

answered Apr 04 '16 at 03:10

Subash Selvaraj

3,385
1
14
17

1

As far as I know SQLite can be encrypted, but you have to expose the password hardcoded somewhere in the client code. – TMichel Apr 04 '16 at 07:00

score -3 · Answer 4 · answered Apr 04 '16 at 10:24

-3

Go for LocalStorage, it is the best way to store

answered Apr 04 '16 at 10:24

NGB

71
1
15

1

As I commented, LocalStorage gets wiped on iOS when low memory. – TMichel Apr 04 '16 at 16:40
and possibly not secured to store `access_token` and/or `refresh_token` locally in the app. – Ritesh Aryal Sep 16 '19 at 10:20
LocalStorage alone will not make the tokens *secure* – Dan Jan 15 '20 at 18:12