8. HTML5 Storage is not secure
Can we do something about that?
Monday, 23 September 13
9. HTML5 Storage and
Security
- Not Encrypted
- It can’t be trusted
- Don’t store session
identifiers
- Only cookies can use
the httpOnly flag
- SessionStorage probably
our best option
Monday, 23 September 13
16. The users password is a
good key, particularly when
used with a key derivation
function.
Monday, 23 September 13
17. Override Ext.encode &
Ext.decode
- Straightforward approach
- Useful if ALL JSON is encrypted
- Could also write your own extended functions
-Ext.JSON.encodeEncrypted()
-Ext.JSON.decodeEncrypted()
Monday, 23 September 13
18. this.encode = function() {
var ec;
return function(o) {
if (!ec) {
// setup encoding function on first access
ec = isNative() ? JSON.stringify : doEncode;
}
return ec(o);
};
}();
Monday, 23 September 13
19. this.encode = function() {
var ec;
return function(o) {
if (!ec) {
// setup encoding function on first access
ec = isNative() ? JSON.stringify : doEncode;
}
return sjcl.encrypt('KEY', ec(o));
};
}();
Monday, 23 September 13
20. this.decode = function() {
var dc;
return function(json, safe) {
if (!dc) {
// setup decoding function on first access
dc = isNative() ? JSON.parse : doDecode;
}
try {
return dc(json);
} catch (e) {
if (safe === true) {
return null;
}
Ext.Error.raise({
sourceClass: "Ext.JSON",
sourceMethod: "decode",
msg: "You're trying to decode an invalid JSON
String: " + json
});
}
};
}();
Monday, 23 September 13
21. this.decode = function() {
var dc;
return function(json, safe) {
if (!dc) {
// setup decoding function on first access
dc = isNative() ? JSON.parse : doDecode;
}
try {
return sjcl.decrypt('KEY', dc(json));
} catch (e) {
if (safe === true) {
return null;
}
Ext.Error.raise({
sourceClass: "Ext.JSON",
sourceMethod: "decode",
msg: "You're trying to decode an invalid JSON
String: " + json
});
}
};
}();
Monday, 23 September 13
22. Overriding The Proxy
- Provides more flexibility
- Doesn’t have a knock-on effect across the rest
of your app
- Not all Proxies use JSON (e.g. SQL)
Monday, 23 September 13
23. getRecord: function(id) {
if (this.cache[id] === undefined) {
var recordKey = this.getRecordKey(id),
item = this.getStorageObject().getItem(recordKey),
data = {},
Model = this.getModel(),
fields = Model.getFields().items,
length = fields.length,
i, field, name, record, rawData, rawValue;
if (!item) {
return undefined;
}
rawData = Ext.decode(item);
...
}
return this.cache[id];
}
Monday, 23 September 13
24. getRecord: function(id) {
if (this.cache[id] === undefined) {
var recordKey = this.getRecordKey(id),
item = this.getStorageObject().getItem(recordKey),
data = {},
Model = this.getModel(),
fields = Model.getFields().items,
length = fields.length,
i, field, name, record, rawData, rawValue;
if (!item) {
return undefined;
}
rawData = sjcl.decrypt('KEY', Ext.decode(item));
...
}
return this.cache[id];
}
Monday, 23 September 13
29. PhoneGap
- Hardware Encryption
- limited by platform
- Use SQLLite Plugin
- SQLCipher
- Open Source
- 256-bit encryption
- http://brodyspark.blogspot.co.uk/
- Don’t store the key - derive from users password
Monday, 23 September 13
30. RhoMobile
- Similar to PhoneGap
- Rhom Local Database
- SQLite Database
- SQLite Encryption Extension (SEE)
- All or nothing switch
Monday, 23 September 13
31. Sencha Space
- Secure data stores
- Secured LocalStorage
- Secure Files API
- Remove app access to make the data
inaccessible
Monday, 23 September 13
32. Remote Wiping Data
- Use a mobile device management (MDM) suite
- AirWatch
- Soti MobiControl
- Sencha Space
Monday, 23 September 13