[aerogear-dev] One Time Password Cordova
Erik Jan de Wit
edewit at redhat.com
Tue Sep 24 08:59:11 EDT 2013
Hi
Is it really a problem that the secret could be extracted from the phone if you root it? I've just checked but the google authenticator app on my android also doesn't encrypt the secret and puts it into a sqllite database. An attacker would still need to know your username and password and you could generate a new secret or invalidate the old one once your phone has been stolen.
On 24 Sep,2013, at 14:50 , Bruno Oliveira <bruno at abstractj.org> wrote:
> You are correct my friend.
>
> @Erik for now I would say, move forward with the plan and let's make use
> of AGSec 1.3.0 in the future, we will address this issue providing
> interfaces for encryption
> (http://staging.aerogear.org/docs/planning/roadmaps/AeroGearSecurity/)
Yeah if we have a good way to encrypt it why not use it…
>
> A second option would be: do not store the shared secret and let the
> developers choose how they want to store it providing their own
> encryption. Sorry I'm for my dumb-ish on Cordova, not sure if that's
> possible.
Yes that is possible right now.
>
> Apostolos Emmanouilidis wrote:
>> Obviously, if the device is rooted, then the data in both storage
>> types is accessible to every asset with root privileges. In a such
>> case, encryption would be useful. However, taking into consideration
>> the purpose of OTP, I believe that this danger is acceptable and
>> encryption is too much to have in the Cordova plugin.
>>
>> Our security gurus are more appropriate to answer such kind of
>> questions :)
>
> --
> abstractj
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
More information about the aerogear-dev
mailing list