SlideShare une entreprise Scribd logo

Securing Client Side Data

Grgur Grisogono
Grgur Grisogono

Andrew Duncan at ModUX 2013 http://moduxcon.com

TechnologieFormation
1  sur  33
Télécharger pour lire hors ligne
Securing Client-Side Data Andrew Duncan, Co-Founder, SwarmOnline @andrewmduncan andrew@swarmonline.com Monday, 23 September 13
Monday, 23 September 13
Why store client-side? Monday, 23 September 13
Improve performance Monday, 23 September 13
Make the app work offline Monday, 23 September 13
Where can we store our Data? Monday, 23 September 13
LocalStorage Cookies WebSQL IndexedDB SessionStorage Monday, 23 September 13
HTML5 Storage is not secure Can we do something about that? Monday, 23 September 13
HTML5 Storage and Security - Not Encrypted - It can’t be trusted - Don’t store session identifiers - Only cookies can use the httpOnly flag - SessionStorage probably our best option Monday, 23 September 13
JavaScript can help us... maybe Monday, 23 September 13
Watch out for libraries not maintained by Cryptographers Monday, 23 September 13
Crypto-JS - Collection of Security Algorithms - MD5, PBKDF2, AES etc... - Easy to use - https://code.google.com/p/crypto-js/ Monday, 23 September 13
Stanford JavaScript Crypto Library - Stanford Javascript Crypto Library - AES - http://crypto.stanford.edu/sjcl/ Monday, 23 September 13
https://github.com/bitwiseshiftleft/sjcl/contributors Still Maintained Monday, 23 September 13
var encryptedData = sjcl.encrypt('Amsterdam', 'ModUXCon'); //"{ // "iv": "/mx7CEihT3d7SOwwE7xrWA", // "v": 1, // "iter": 1000, // "ks": 128, // "ts": 64, // "mode": "ccm", // "adata": "", // "cipher": "aes", // "salt": "zWAyQczJww4", // "ct": "nyBREOy9jjrMbQARklcvJg" //}" var data = sjcl.decrypt('Amsterdam', encryptedData); //data = "ModUXCon" Monday, 23 September 13
The users password is a good key, particularly when used with a key derivation function. Monday, 23 September 13
Override Ext.encode & Ext.decode - Straightforward approach - Useful if ALL JSON is encrypted - Could also write your own extended functions -Ext.JSON.encodeEncrypted() -Ext.JSON.decodeEncrypted() Monday, 23 September 13
this.encode = function() { var ec; return function(o) { if (!ec) { // setup encoding function on first access ec = isNative() ? JSON.stringify : doEncode; } return ec(o); }; }(); Monday, 23 September 13
this.encode = function() { var ec; return function(o) { if (!ec) { // setup encoding function on first access ec = isNative() ? JSON.stringify : doEncode; } return sjcl.encrypt('KEY', ec(o)); }; }(); Monday, 23 September 13
this.decode = function() { var dc; return function(json, safe) { if (!dc) { // setup decoding function on first access dc = isNative() ? JSON.parse : doDecode; } try { return dc(json); } catch (e) { if (safe === true) { return null; } Ext.Error.raise({ sourceClass: "Ext.JSON", sourceMethod: "decode", msg: "You're trying to decode an invalid JSON String: " + json }); } }; }(); Monday, 23 September 13
this.decode = function() { var dc; return function(json, safe) { if (!dc) { // setup decoding function on first access dc = isNative() ? JSON.parse : doDecode; } try { return sjcl.decrypt('KEY', dc(json)); } catch (e) { if (safe === true) { return null; } Ext.Error.raise({ sourceClass: "Ext.JSON", sourceMethod: "decode", msg: "You're trying to decode an invalid JSON String: " + json }); } }; }(); Monday, 23 September 13
Overriding The Proxy - Provides more flexibility - Doesn’t have a knock-on effect across the rest of your app - Not all Proxies use JSON (e.g. SQL) Monday, 23 September 13
getRecord: function(id) { if (this.cache[id] === undefined) { var recordKey = this.getRecordKey(id), item = this.getStorageObject().getItem(recordKey), data = {}, Model = this.getModel(), fields = Model.getFields().items, length = fields.length, i, field, name, record, rawData, rawValue; if (!item) { return undefined; } rawData = Ext.decode(item); ... } return this.cache[id]; } Monday, 23 September 13
getRecord: function(id) { if (this.cache[id] === undefined) { var recordKey = this.getRecordKey(id), item = this.getStorageObject().getItem(recordKey), data = {}, Model = this.getModel(), fields = Model.getFields().items, length = fields.length, i, field, name, record, rawData, rawValue; if (!item) { return undefined; } rawData = sjcl.decrypt('KEY', Ext.decode(item)); ... } return this.cache[id]; } Monday, 23 September 13
setRecord: function(record, id) { ... try { obj.setItem(key, Ext.encode(data)); } catch(e){ this.fireEvent('exception', this, e); } record.commit(); } Monday, 23 September 13
setRecord: function(record, id) { ... try { obj.setItem(key, sjcl.encrypt('KEY', Ext.encode(data))); } catch(e){ this.fireEvent('exception', this, e); } record.commit(); } Monday, 23 September 13
W3C Web Cryptography Working Group Monday, 23 September 13
Hybrid App Containers - Filesystem storage - Data Storage Options Monday, 23 September 13
PhoneGap - Hardware Encryption - limited by platform - Use SQLLite Plugin - SQLCipher - Open Source - 256-bit encryption - http://brodyspark.blogspot.co.uk/ - Don’t store the key - derive from users password Monday, 23 September 13
RhoMobile - Similar to PhoneGap - Rhom Local Database - SQLite Database - SQLite Encryption Extension (SEE) - All or nothing switch Monday, 23 September 13
Sencha Space - Secure data stores - Secured LocalStorage - Secure Files API - Remove app access to make the data inaccessible Monday, 23 September 13
Remote Wiping Data - Use a mobile device management (MDM) suite - AirWatch - Soti MobiControl - Sencha Space Monday, 23 September 13
Questions? Monday, 23 September 13

Recommandé

Litebox
LiteboxLitebox
Litebox
meli media
 
Fact, Fiction, and FP
Fact, Fiction, and FPFact, Fiction, and FP
Fact, Fiction, and FP
Brian Lonsdorf
 
Lenses
LensesLenses
Lenses
Brian Lonsdorf
 
Test driven game development silly, stupid or inspired?
Test driven game development silly, stupid or inspired?Test driven game development silly, stupid or inspired?
Test driven game development silly, stupid or inspired?
Eric Smith
 
Broken windows de práticas ágeis
Broken windows de práticas ágeisBroken windows de práticas ágeis
Broken windows de práticas ágeis
Cecilia Fernandes
 
Ricky Bobby's World
Ricky Bobby's WorldRicky Bobby's World
Ricky Bobby's World
Brian Lonsdorf
 
Web+GISという視点から見たGISの方向性
Web+GISという視点から見たGISの方向性Web+GISという視点から見たGISの方向性
Web+GISという視点から見たGISの方向性
Hidenori Fujimura
 
Chrome拡張開発者のためのFirefox拡張開発
Chrome拡張開発者のためのFirefox拡張開発Chrome拡張開発者のためのFirefox拡張開発
Chrome拡張開発者のためのFirefox拡張開発
swdyh
 

Recommandé

Litebox
LiteboxLitebox
Litebox
meli media
 
Fact, Fiction, and FP
Fact, Fiction, and FPFact, Fiction, and FP
Fact, Fiction, and FP
Brian Lonsdorf
 
Lenses
LensesLenses
Lenses
Brian Lonsdorf
 
Test driven game development silly, stupid or inspired?
Test driven game development silly, stupid or inspired?Test driven game development silly, stupid or inspired?
Test driven game development silly, stupid or inspired?
Eric Smith
 
Broken windows de práticas ágeis
Broken windows de práticas ágeisBroken windows de práticas ágeis
Broken windows de práticas ágeis
Cecilia Fernandes
 
Ricky Bobby's World
Ricky Bobby's WorldRicky Bobby's World
Ricky Bobby's World
Brian Lonsdorf
 
Web+GISという視点から見たGISの方向性
Web+GISという視点から見たGISの方向性Web+GISという視点から見たGISの方向性
Web+GISという視点から見たGISの方向性
Hidenori Fujimura
 
Chrome拡張開発者のためのFirefox拡張開発
Chrome拡張開発者のためのFirefox拡張開発Chrome拡張開発者のためのFirefox拡張開発
Chrome拡張開発者のためのFirefox拡張開発
swdyh
 
Couchdb
CouchdbCouchdb
Couchdb
Brian Smith
 
Efek daun
Efek daunEfek daun
Efek daun
Yadi Adi
 
The JSON Architecture - BucharestJS / July
The JSON Architecture - BucharestJS / JulyThe JSON Architecture - BucharestJS / July
The JSON Architecture - BucharestJS / July
Constantin Dumitrescu
 
ES6 is Nigh
ES6 is NighES6 is Nigh
ES6 is Nigh
Domenic Denicola
 
How to calculate the optimal undo retention in Oracle
How to calculate the optimal undo retention in OracleHow to calculate the optimal undo retention in Oracle
How to calculate the optimal undo retention in Oracle
Jorge Batista
 
Building a theming system with React - Matteo Ronchi - Codemotion Amsterdam 2017
Building a theming system with React - Matteo Ronchi - Codemotion Amsterdam 2017Building a theming system with React - Matteo Ronchi - Codemotion Amsterdam 2017
Building a theming system with React - Matteo Ronchi - Codemotion Amsterdam 2017
Codemotion
 
C* path
C* pathC* path
C* path
techblog
 
Snow
SnowSnow
Snow
Desarrollo Regional de la Educación
 
Super Advanced Python –act1
Super Advanced Python –act1Super Advanced Python –act1
Super Advanced Python –act1
Ke Wei Louis
 
Understand Properties in Codename One
Understand Properties in Codename One Understand Properties in Codename One
Understand Properties in Codename One
Shai Almog
 
Mongo db modifiers
Mongo db modifiersMongo db modifiers
Mongo db modifiers
zarigatongy
 
Node lt
Node ltNode lt
Node lt
snodar
 
Debugging, a step away from the console
Debugging, a step away from the consoleDebugging, a step away from the console
Debugging, a step away from the console
Adam Weeks
 
JavaScript on the Desktop
JavaScript on the DesktopJavaScript on the Desktop
JavaScript on the Desktop
Domenic Denicola
 
Workers of the web - BrazilJS 2013
Workers of the web - BrazilJS 2013Workers of the web - BrazilJS 2013
Workers of the web - BrazilJS 2013
Thibault Imbert
 
Funcd
FuncdFuncd
Funcd
Julio Gonzalez-Saenz
 
Provisionamento orquestrado nas nuvens com Juju
Provisionamento orquestrado nas nuvens com JujuProvisionamento orquestrado nas nuvens com Juju
Provisionamento orquestrado nas nuvens com Juju
Thiago Rondon
 
An Introduction to JavaScript: Week 4
An Introduction to JavaScript: Week 4An Introduction to JavaScript: Week 4
An Introduction to JavaScript: Week 4
Event Handler
 
Terrific Frontends
Terrific FrontendsTerrific Frontends
Terrific Frontends
Remo Brunschwiler
 
Practices and obstacles in agile development
Practices and obstacles in agile developmentPractices and obstacles in agile development
Practices and obstacles in agile development
Grgur Grisogono
 
High Performance Web Sites - 2008
High Performance Web Sites - 2008High Performance Web Sites - 2008
High Performance Web Sites - 2008
Nate Koechley
 
AngularJS Basics and Best Practices - CC FE &UX
AngularJS Basics and Best Practices - CC FE &UXAngularJS Basics and Best Practices - CC FE &UX
AngularJS Basics and Best Practices - CC FE &UX
JWORKS powered by Ordina
 

Contenu connexe

Tendances

Provisionamento orquestrado nas nuvens com Juju
Provisionamento orquestrado nas nuvens com JujuProvisionamento orquestrado nas nuvens com Juju
Provisionamento orquestrado nas nuvens com Juju
Thiago Rondon
 
An Introduction to JavaScript: Week 4
An Introduction to JavaScript: Week 4An Introduction to JavaScript: Week 4
An Introduction to JavaScript: Week 4
Event Handler
 

Tendances (19)

Couchdb
CouchdbCouchdb
Couchdb
 
Efek daun
Efek daunEfek daun
Efek daun
 
The JSON Architecture - BucharestJS / July
The JSON Architecture - BucharestJS / JulyThe JSON Architecture - BucharestJS / July
The JSON Architecture - BucharestJS / July
 
ES6 is Nigh
ES6 is NighES6 is Nigh
ES6 is Nigh
 
How to calculate the optimal undo retention in Oracle
How to calculate the optimal undo retention in OracleHow to calculate the optimal undo retention in Oracle
How to calculate the optimal undo retention in Oracle
 
Building a theming system with React - Matteo Ronchi - Codemotion Amsterdam 2017
Building a theming system with React - Matteo Ronchi - Codemotion Amsterdam 2017Building a theming system with React - Matteo Ronchi - Codemotion Amsterdam 2017
Building a theming system with React - Matteo Ronchi - Codemotion Amsterdam 2017
 
C* path
C* pathC* path
C* path
 
Snow
SnowSnow
Snow
 
Super Advanced Python –act1
Super Advanced Python –act1Super Advanced Python –act1
Super Advanced Python –act1
 
Understand Properties in Codename One
Understand Properties in Codename One Understand Properties in Codename One
Understand Properties in Codename One
 
Mongo db modifiers
Mongo db modifiersMongo db modifiers
Mongo db modifiers
 
Node lt
Node ltNode lt
Node lt
 
Debugging, a step away from the console
Debugging, a step away from the consoleDebugging, a step away from the console
Debugging, a step away from the console
 
JavaScript on the Desktop
JavaScript on the DesktopJavaScript on the Desktop
JavaScript on the Desktop
 
Workers of the web - BrazilJS 2013
Workers of the web - BrazilJS 2013Workers of the web - BrazilJS 2013
Workers of the web - BrazilJS 2013
 
Funcd
FuncdFuncd
Funcd
 
Provisionamento orquestrado nas nuvens com Juju
Provisionamento orquestrado nas nuvens com JujuProvisionamento orquestrado nas nuvens com Juju
Provisionamento orquestrado nas nuvens com Juju
 
An Introduction to JavaScript: Week 4
An Introduction to JavaScript: Week 4An Introduction to JavaScript: Week 4
An Introduction to JavaScript: Week 4
 
Terrific Frontends
Terrific FrontendsTerrific Frontends
Terrific Frontends
 

En vedette

“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
Positive Hack Days
 
Encryption vs tokenisation (for share)
Encryption vs tokenisation (for share)Encryption vs tokenisation (for share)
Encryption vs tokenisation (for share)
AndrewRJamieson
 
Building Cordova plugins for iOS
Building Cordova plugins for iOSBuilding Cordova plugins for iOS
Building Cordova plugins for iOS
Grgur Grisogono
 

En vedette (20)

Practices and obstacles in agile development
Practices and obstacles in agile developmentPractices and obstacles in agile development
Practices and obstacles in agile development
 
High Performance Web Sites - 2008
High Performance Web Sites - 2008High Performance Web Sites - 2008
High Performance Web Sites - 2008
 
AngularJS Basics and Best Practices - CC FE &UX
AngularJS Basics and Best Practices - CC FE &UXAngularJS Basics and Best Practices - CC FE &UX
AngularJS Basics and Best Practices - CC FE &UX
 
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
 
Encryption vs tokenisation (for share)
Encryption vs tokenisation (for share)Encryption vs tokenisation (for share)
Encryption vs tokenisation (for share)
 
Cryptography
CryptographyCryptography
Cryptography
 
Give Responsive Design a Mobile Performance Boost
Give Responsive Design a Mobile Performance BoostGive Responsive Design a Mobile Performance Boost
Give Responsive Design a Mobile Performance Boost
 
Has Anyone Asked a Customer?
Has Anyone Asked a Customer?Has Anyone Asked a Customer?
Has Anyone Asked a Customer?
 
Sencha Space review
Sencha Space reviewSencha Space review
Sencha Space review
 
Sencha Cmd Quick Start
Sencha Cmd Quick StartSencha Cmd Quick Start
Sencha Cmd Quick Start
 
A better CSS: Sass and Less - CC FE & UX
A better CSS: Sass and Less - CC FE & UXA better CSS: Sass and Less - CC FE & UX
A better CSS: Sass and Less - CC FE & UX
 
Client Side Performance for Back End Developers - Camb Expert Talks, Nov 2016
Client Side Performance for Back End Developers - Camb Expert Talks, Nov 2016Client Side Performance for Back End Developers - Camb Expert Talks, Nov 2016
Client Side Performance for Back End Developers - Camb Expert Talks, Nov 2016
 
Building Cordova plugins for iOS
Building Cordova plugins for iOSBuilding Cordova plugins for iOS
Building Cordova plugins for iOS
 
What's Coming Next in Sencha Frameworks
What's Coming Next in Sencha FrameworksWhat's Coming Next in Sencha Frameworks
What's Coming Next in Sencha Frameworks
 
ModUX keynote
ModUX keynoteModUX keynote
ModUX keynote
 
Exploring the Possibilities of Sencha and WebRTC
Exploring the Possibilities of Sencha and WebRTCExploring the Possibilities of Sencha and WebRTC
Exploring the Possibilities of Sencha and WebRTC
 
JavaScript Basics and Best Practices - CC FE & UX
JavaScript Basics and Best Practices - CC FE & UXJavaScript Basics and Best Practices - CC FE & UX
JavaScript Basics and Best Practices - CC FE & UX
 
Google’s PRPL Web development pattern
Google’s PRPL Web development patternGoogle’s PRPL Web development pattern
Google’s PRPL Web development pattern
 
Webpack & React Performance in 16+ Steps
Webpack & React Performance in 16+ StepsWebpack & React Performance in 16+ Steps
Webpack & React Performance in 16+ Steps
 
PRPL Pattern with Webpack and React
PRPL Pattern with Webpack and ReactPRPL Pattern with Webpack and React
PRPL Pattern with Webpack and React
 

Similaire à Securing Client Side Data

festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...
festival ICT 2016
 
Stop Ember Time
Stop Ember TimeStop Ember Time
Stop Ember Time
cjwoodward
 
Aspect Oriented Programming
Aspect Oriented ProgrammingAspect Oriented Programming
Aspect Oriented Programming
Weizhong Yang
 
Functional programming using underscorejs
Functional programming using underscorejsFunctional programming using underscorejs
Functional programming using underscorejs
偉格 高
 
international PHP2011_Bastian Feder_jQuery's Secrets
international PHP2011_Bastian Feder_jQuery's Secretsinternational PHP2011_Bastian Feder_jQuery's Secrets
international PHP2011_Bastian Feder_jQuery's Secrets
smueller_sandsmedia
 

Similaire à Securing Client Side Data (20)

Mongo db for C# Developers
Mongo db for C# DevelopersMongo db for C# Developers
Mongo db for C# Developers
 
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...
 
An introduction to Ember.js
An introduction to Ember.jsAn introduction to Ember.js
An introduction to Ember.js
 
Pragmatic JavaScript
Pragmatic JavaScriptPragmatic JavaScript
Pragmatic JavaScript
 
Dependency management & Package management in JavaScript
Dependency management & Package management in JavaScriptDependency management & Package management in JavaScript
Dependency management & Package management in JavaScript
 
Stop Ember Time
Stop Ember TimeStop Ember Time
Stop Ember Time
 
Aspect Oriented Programming
Aspect Oriented ProgrammingAspect Oriented Programming
Aspect Oriented Programming
 
Developing web-apps like it's 2013
Developing web-apps like it's 2013Developing web-apps like it's 2013
Developing web-apps like it's 2013
 
jQuery secrets
jQuery secretsjQuery secrets
jQuery secrets
 
Security Challenges in Node.js
Security Challenges in Node.jsSecurity Challenges in Node.js
Security Challenges in Node.js
 
Android basic 4 Navigation Drawer
Android basic 4 Navigation DrawerAndroid basic 4 Navigation Drawer
Android basic 4 Navigation Drawer
 
Functional programming using underscorejs
Functional programming using underscorejsFunctional programming using underscorejs
Functional programming using underscorejs
 
Cross-scene references: A shock to the system - Unite Copenhagen 2019
Cross-scene references: A shock to the system - Unite Copenhagen 2019Cross-scene references: A shock to the system - Unite Copenhagen 2019
Cross-scene references: A shock to the system - Unite Copenhagen 2019
 
Android workshop
Android workshopAndroid workshop
Android workshop
 
How to write better code: in-depth best practices for writing readable, simpl...
How to write better code: in-depth best practices for writing readable, simpl...How to write better code: in-depth best practices for writing readable, simpl...
How to write better code: in-depth best practices for writing readable, simpl...
 
How to write better code: in-depth best practices for writing readable, simpl...
How to write better code: in-depth best practices for writing readable, simpl...How to write better code: in-depth best practices for writing readable, simpl...
How to write better code: in-depth best practices for writing readable, simpl...
 
Secrets of JavaScript Libraries
Secrets of JavaScript LibrariesSecrets of JavaScript Libraries
Secrets of JavaScript Libraries
 
international PHP2011_Bastian Feder_jQuery's Secrets
international PHP2011_Bastian Feder_jQuery's Secretsinternational PHP2011_Bastian Feder_jQuery's Secrets
international PHP2011_Bastian Feder_jQuery's Secrets
 
Backbone
BackboneBackbone
Backbone
 
Intro to Ember.js
Intro to Ember.jsIntro to Ember.js
Intro to Ember.js
 

Plus de Grgur Grisogono

Plus de Grgur Grisogono (7)

Back to the Future with ES.next
Back to the Future with ES.nextBack to the Future with ES.next
Back to the Future with ES.next
 
Frustration-Free Packaging of Ext JS 5 Applications
Frustration-Free Packaging of Ext JS 5 ApplicationsFrustration-Free Packaging of Ext JS 5 Applications
Frustration-Free Packaging of Ext JS 5 Applications
 
Unit and functional testing with Siesta
Unit and functional testing with SiestaUnit and functional testing with Siesta
Unit and functional testing with Siesta
 
Making the Web Work on Mobile
Making the Web Work on MobileMaking the Web Work on Mobile
Making the Web Work on Mobile
 
Writing High Quality Code
Writing High Quality CodeWriting High Quality Code
Writing High Quality Code
 
BlackBerry Loves the Web
BlackBerry Loves the WebBlackBerry Loves the Web
BlackBerry Loves the Web
 
Sencha Touch Meets TYPO3 CMS
Sencha Touch Meets TYPO3 CMSSencha Touch Meets TYPO3 CMS
Sencha Touch Meets TYPO3 CMS
 

Dernier

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Dernier (20)

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Securing Client Side Data

  • 1. Securing Client-Side Data Andrew Duncan, Co-Founder, SwarmOnline @andrewmduncan andrew@swarmonline.com Monday, 23 September 13
  • 5. Make the app work offline Monday, 23 September 13
  • 6. Where can we store our Data? Monday, 23 September 13
  • 8. HTML5 Storage is not secure Can we do something about that? Monday, 23 September 13
  • 9. HTML5 Storage and Security - Not Encrypted - It can’t be trusted - Don’t store session identifiers - Only cookies can use the httpOnly flag - SessionStorage probably our best option Monday, 23 September 13
  • 10. JavaScript can help us... maybe Monday, 23 September 13
  • 11. Watch out for libraries not maintained by Cryptographers Monday, 23 September 13
  • 12. Crypto-JS - Collection of Security Algorithms - MD5, PBKDF2, AES etc... - Easy to use - https://code.google.com/p/crypto-js/ Monday, 23 September 13
  • 13. Stanford JavaScript Crypto Library - Stanford Javascript Crypto Library - AES - http://crypto.stanford.edu/sjcl/ Monday, 23 September 13
  • 15. var encryptedData = sjcl.encrypt('Amsterdam', 'ModUXCon'); //"{ // "iv": "/mx7CEihT3d7SOwwE7xrWA", // "v": 1, // "iter": 1000, // "ks": 128, // "ts": 64, // "mode": "ccm", // "adata": "", // "cipher": "aes", // "salt": "zWAyQczJww4", // "ct": "nyBREOy9jjrMbQARklcvJg" //}" var data = sjcl.decrypt('Amsterdam', encryptedData); //data = "ModUXCon" Monday, 23 September 13
  • 16. The users password is a good key, particularly when used with a key derivation function. Monday, 23 September 13
  • 17. Override Ext.encode & Ext.decode - Straightforward approach - Useful if ALL JSON is encrypted - Could also write your own extended functions -Ext.JSON.encodeEncrypted() -Ext.JSON.decodeEncrypted() Monday, 23 September 13
  • 18. this.encode = function() { var ec; return function(o) { if (!ec) { // setup encoding function on first access ec = isNative() ? JSON.stringify : doEncode; } return ec(o); }; }(); Monday, 23 September 13
  • 19. this.encode = function() { var ec; return function(o) { if (!ec) { // setup encoding function on first access ec = isNative() ? JSON.stringify : doEncode; } return sjcl.encrypt('KEY', ec(o)); }; }(); Monday, 23 September 13
  • 20. this.decode = function() { var dc; return function(json, safe) { if (!dc) { // setup decoding function on first access dc = isNative() ? JSON.parse : doDecode; } try { return dc(json); } catch (e) { if (safe === true) { return null; } Ext.Error.raise({ sourceClass: "Ext.JSON", sourceMethod: "decode", msg: "You're trying to decode an invalid JSON String: " + json }); } }; }(); Monday, 23 September 13
  • 21. this.decode = function() { var dc; return function(json, safe) { if (!dc) { // setup decoding function on first access dc = isNative() ? JSON.parse : doDecode; } try { return sjcl.decrypt('KEY', dc(json)); } catch (e) { if (safe === true) { return null; } Ext.Error.raise({ sourceClass: "Ext.JSON", sourceMethod: "decode", msg: "You're trying to decode an invalid JSON String: " + json }); } }; }(); Monday, 23 September 13
  • 22. Overriding The Proxy - Provides more flexibility - Doesn’t have a knock-on effect across the rest of your app - Not all Proxies use JSON (e.g. SQL) Monday, 23 September 13
  • 23. getRecord: function(id) { if (this.cache[id] === undefined) { var recordKey = this.getRecordKey(id), item = this.getStorageObject().getItem(recordKey), data = {}, Model = this.getModel(), fields = Model.getFields().items, length = fields.length, i, field, name, record, rawData, rawValue; if (!item) { return undefined; } rawData = Ext.decode(item); ... } return this.cache[id]; } Monday, 23 September 13
  • 24. getRecord: function(id) { if (this.cache[id] === undefined) { var recordKey = this.getRecordKey(id), item = this.getStorageObject().getItem(recordKey), data = {}, Model = this.getModel(), fields = Model.getFields().items, length = fields.length, i, field, name, record, rawData, rawValue; if (!item) { return undefined; } rawData = sjcl.decrypt('KEY', Ext.decode(item)); ... } return this.cache[id]; } Monday, 23 September 13
  • 25. setRecord: function(record, id) { ... try { obj.setItem(key, Ext.encode(data)); } catch(e){ this.fireEvent('exception', this, e); } record.commit(); } Monday, 23 September 13
  • 26. setRecord: function(record, id) { ... try { obj.setItem(key, sjcl.encrypt('KEY', Ext.encode(data))); } catch(e){ this.fireEvent('exception', this, e); } record.commit(); } Monday, 23 September 13
  • 27. W3C Web Cryptography Working Group Monday, 23 September 13
  • 28. Hybrid App Containers - Filesystem storage - Data Storage Options Monday, 23 September 13
  • 29. PhoneGap - Hardware Encryption - limited by platform - Use SQLLite Plugin - SQLCipher - Open Source - 256-bit encryption - http://brodyspark.blogspot.co.uk/ - Don’t store the key - derive from users password Monday, 23 September 13
  • 30. RhoMobile - Similar to PhoneGap - Rhom Local Database - SQLite Database - SQLite Encryption Extension (SEE) - All or nothing switch Monday, 23 September 13
  • 31. Sencha Space - Secure data stores - Secured LocalStorage - Secure Files API - Remove app access to make the data inaccessible Monday, 23 September 13
  • 32. Remote Wiping Data - Use a mobile device management (MDM) suite - AirWatch - Soti MobiControl - Sencha Space Monday, 23 September 13