Showing posts with label Ionic. Show all posts
Showing posts with label Ionic. Show all posts

Wednesday, August 2, 2017

Ionic - Secure Storage


This post is not meant as a guide nor as a tutorial on how to use storage with Ionic. This post will explain a possible problem you may have when using the Secure Storage plugin as described in Ionic docs. Also, this is a problem that only shows itself on Android and not on iOS, so if you are facing issues on an Apple device this is probably not the problem you are encountering.

‘Native Storage’ and ‘Secure Storage’ plugins



Native Storage and Secure Storage are the two main ways for you to store information on mobile with Ionic, without needing to set up your own database and instead delegating the handling to the OS.


As the name suggests, the latter is normally used when the information to be saved is really sensitive.


This doesn’t mean Native Storage by itself is insecure. Data stored in this way should only be accessible by your app, which leaves it pretty safe in its own right. However, it is still possible to access it if the backup of the data is enabled or on an Android device if it is rooted. So, for cases in which security is a top priority, Secure Storage can shine.


But, when using the “Secure Storage” plugin on Android, sometimes it may fail when starting or when using it. It may even delete previously stored information. So now we have to make the decision on which one to use. Before that, however, it would be good to know why this happens, and how often it happens.


Secure Storage on Android



The “Secure Storage” plugin on Android only works correctly when the user has a block screen activated for their device. Be it with a pattern or with a code, the plugin uses the KeyStore associated with the lock to encrypt the data to be safely stored.


What this means for a user using our application with secure storage, is that it will only work if the device has this safety measures in place. If they don’t, the plugin will fail to initialize, and all storage or retrieval operations will subsequently fail.


And this is not the worst case scenario. The worst case scenario comes when the user removes or updates their password or pattern. If this happens, all previously stored information will be basically deleted since the key associated with it will change.


iOS, on the other hand, doesn’t have this problem since it uses KeyChain to store the information with this plugin, and this does not depend on the user actually having security enabled for their device.


Solutions



Now we need to make a decision on what to use, and the answer should change depending on what your App needs. Some options would be the following:


  • If the data to be stored is not sensitive enough, just use Native Storage. It is secure enough for many cases since it needs a special scenario to be compromised.
  • If data is really sensible, and its use can be avoided, you can use Secure Storage. You need to check before using it in case it was deleted, but this will ensure everything is secure.
  • If data is sensible but temporary (as a short session token) you can try using both. Start by using Secure Storage and just default to Native Storage when that fails. This will allow most users to have the full security without annoying the other users. You can also try migrating data from Native Storage to Secure Storage if it is detected through the App that the user activated their screen lock security.
  • If data is sensible, you could also use Secure Storage and actively ask the user to enable screen lock. This will make sure your data is safe and that your app can access it (unless the user later disables it), but it may annoy the user. You also need to check for possible disappearance of data in every storage operation.
  • You could also choose to use neither. You can try using your own database and handle its security on your own. This can be done either mobile or server side, depending on your needs, but remember that this will probably be more time consuming than just using one of the other plugins.

Conclusion



Unluckily there is not a definitive solution to your problem, but it is something important to have in mind when using these plugins. You just need to make sure you know the needs of your app, your users and the information to be stored and make an informed decision.

We hope this quick post was useful to you!




Sources