[aerogear-dev] One Time Password Cordova

Apostolos Emmanouilidis aemmanou at redhat.com
Tue Sep 24 04:27:13 EDT 2013 

Regarding the Android part, I've seen famous Android OTP authenticators
using the SQLite storage. In my opinion SQLite and SharedPreferences
have the same security level. In both cases the data is stored within
the applications directory on the mobile device file system. An SQLite
database is accessible by all the classes inside the specific
application and is not accessible outside the application. The
SharedPreferences data is stored in an un-encrypted XML file which is by
default accessible only to the specific application. So the decision on
whether to use the SQLite or SharedPreferences option is mostly based on
the amount of data and performance reasons.

Obviously, if the device is rooted, then the data in both storage types
is accessible to every asset with root privileges. In a such case,
encryption would be useful. However, taking into consideration the
purpose of OTP, I believe that this danger is acceptable and encryption
is too much to have in the Cordova plugin. 

Our security gurus are more appropriate to answer such kind of
questions :)


On Tue, 2013-09-24 at 08:12 +0200, Erik Jan de Wit wrote:

> The secret is scanned with the barcode scanner and stored in
> SharedPreferences on Android and NSUserDefaults on iOS.
> 
> 
> 
> On 24 Sep,2013, at 4:41 , "Bruno Oliveira" <bruno at abstractj.org>
> wrote:
> 
> 
> 
> > Hi Erik, 
> > 
> > 
> > How the shared secret is being retrieved? And how do you store it?
> > 
> > 
> > 
> > 
> > 
> > 
> > —
> > abstractj
> > 
> > 
> > On Mon, Sep 23, 2013 at 3:38 AM, Erik Jan de Wit
> > <edewit at redhat.com="mailto:edewit at redhat.com">> wrote:
> > 
> >         
> >         As this is a security thing it would be great if others
> >         would take a look at because we want to be extra sure there
> >         is no obvious security hole in this.
> >         
> >         Cheers, Erik Jan
> >         
> > 
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> 
> 
> 
> 
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130924/82fff227/attachment-0001.html

More information about the aerogear-dev mailing list