+ 1 Personally, I like your implementation with the callbacks :)

Regarding [1] I would prefer declaring and giving meaningful names in callback functions and then passing just the names, instead of passing anonymous functions. I think this way is more readable and makes JavaScript code cleaner.

[1]: https://github.com/edewit/aerogear-otp-cordova/blob/master/example/js/ind... On Mon, 2013-09-23 at 08:38 +0200, Erik Jan de Wit wrote: > > One Time Password > > I've checked in the cordova otp module it now supports Android and iOS, I've added a dependency on the barcode scanner plugin so that it is a complete package. There is one general generate method that will check if there is a secret stored if not it will fire up the barcode scanner to scan a secret and then store it. There are also separate methods that support these functions. > > On the android side I use SharedPreferences and for iOS NSUserDefaults to store the secret. Currently the project is under my own name don't know how to move it. > > As this is a security thing it would be great if others would take a look at because we want to be extra sure there is no obvious security hole in this. > > Cheers, Erik Jan > > _______________________________________________ > aerogear-dev mailing list > aerogear-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/aerogear-dev _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev

one quick that stands out for me is the version number of the plugin, i don't think it should start at 1.0.0 , IMO it should be more like 0.0.1 or maybe a 0.1.0

On Sep 23, 2013, at 2:38 AM, Erik Jan de Wit <edewit(a)redhat.com&gt; wrote: > cordova otp _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev

On 23 Sep,2013, at 14:02 , Kris Borchers <kris(a)redhat.com&gt; wrote: On Sep 23, 2013, at 7:00 AM, Lucas Holmquist <lholmqui(a)redhat.com&gt; wrote: one quick that stands out for me is the version number of the plugin, i don't think it should start at 1.0.0 , IMO it should be more like 0.0.1 or maybe a 0.1.0 +1 Yep makes sense updated it to 0.0.1 and published it<http://plugins.cordova.io/#/org.jboss.aerogear.cordova> _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev

Hi Erik, How the shared secret is being retrieved? And how do you store it? — abstractj On Mon, Sep 23, 2013 at 3:38 AM, Erik Jan de Wit <edewit@redhat.com="mailto:edewit@redhat.com">> wrote: As this is a security thing it would be great if others would take a look at because we want to be extra sure there is no obvious security hole in this. Cheers, Erik Jan _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev

Obviously, if the device is rooted, then the data in both storage types is accessible to every asset with root privileges. In a such case, encryption would be useful. However, taking into consideration the purpose of OTP, I believe that this danger is acceptable and encryption is too much to have in the Cordova plugin. Our security gurus are more appropriate to answer such kind of questions :)

Erik Jan de Wit <mailto:edewit@redhat.com> September 24, 2013 9:59 AM Hi Is it really a problem that the secret could be extracted from the phone if you root it? I've just checked but the google authenticator app on my android also doesn't encrypt the secret and puts it into a sqllite database. An attacker would still need to know your username and password and you could generate a new secret or invalidate the old one once your phone has been stolen. On 24 Sep,2013, at 14:50 , Bruno Oliveira <bruno(a)abstractj.org&gt; wrote: > You are correct my friend. > > @Erik for now I would say, move forward with the plan and let's make use > of AGSec 1.3.0 in the future, we will address this issue providing > interfaces for encryption > (http://staging.aerogear.org/docs/planning/roadmaps/AeroGearSecurity/) Yeah if we have a good way to encrypt it why not use it… > A second option would be: do not store the shared secret and let the > developers choose how they want to store it providing their own > encryption. Sorry I'm for my dumb-ish on Cordova, not sure if that's > possible. Yes that is possible right now. > Apostolos Emmanouilidis wrote: >> Obviously, if the device is rooted, then the data in both storage >> types is accessible to every asset with root privileges. In a such >> case, encryption would be useful. However, taking into consideration >> the purpose of OTP, I believe that this danger is acceptable and >> encryption is too much to have in the Cordova plugin. >> >> Our security gurus are more appropriate to answer such kind of >> questions :) > -- > abstractj > > > _______________________________________________ > aerogear-dev mailing list > aerogear-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/aerogear-dev _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev Apostolos Emmanouilidis <mailto:aemmanou@redhat.com> September 24, 2013 5:27 AM Regarding the Android part, I've seen famous Android OTP authenticators using the SQLite storage. In my opinion SQLite and SharedPreferences have the same security level. In both cases the data is stored within the applications directory on the mobile device file system. An SQLite database is accessible by all the classes inside the specific application and is not accessible outside the application. The SharedPreferences data is stored in an un-encrypted XML file which is by default accessible only to the specific application. So the decision on whether to use the SQLite or SharedPreferences option is mostly based on the amount of data and performance reasons. Obviously, if the device is rooted, then the data in both storage types is accessible to every asset with root privileges. In a such case, encryption would be useful. However, taking into consideration the purpose of OTP, I believe that this danger is acceptable and encryption is too much to have in the Cordova plugin. Our security gurus are more appropriate to answer such kind of questions :) On Tue, 2013-09-24 at 08:12 +0200, Erik Jan de Wit wrote: > The secret is scanned with the barcode scanner and stored in > SharedPreferences on Android and NSUserDefaults on iOS. > > On 24 Sep,2013, at 4:41 , "Bruno Oliveira" <bruno(a)abstractj.org > <mailto:bruno@abstractj.org>> wrote: > >> Hi Erik, >> >> >> How the shared secret is being retrieved? And how do you store it? >> >> >> >> — >> abstractj >> >> On Mon, Sep 23, 2013 at 3:38 AM, Erik Jan de Wit >> <edewit@redhat.com="mailto:edewit@redhat.com">> wrote: >> >> >> As this is a security thing it would be great if others would >> take a look at because we want to be extra sure there is no >> obvious security hole in this. >> >> Cheers, Erik Jan >> >> _______________________________________________ >> aerogear-dev mailing list >> aerogear-dev(a)lists.jboss.org <mailto:aerogear-dev@lists.jboss.org> >> https://lists.jboss.org/mailman/listinfo/aerogear-dev > > > _______________________________________________ > aerogear-dev mailing list > aerogear-dev(a)lists.jboss.org <mailto:aerogear-dev@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/aerogear-dev _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev Erik Jan de Wit <mailto:edewit@redhat.com> September 24, 2013 3:12 AM The secret is scanned with the barcode scanner and stored in SharedPreferences on Android and NSUserDefaults on iOS. _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev Bruno Oliveira <mailto:bruno@abstractj.org> September 23, 2013 11:41 PM Hi Erik, How the shared secret is being retrieved? And how do you store it? — abstractj On Mon, Sep 23, 2013 at 3:38 AM, Erik Jan de Wit <edewit@redhat.com="mailto:edewit@redhat.com">> wrote: Erik Jan de Wit <mailto:edewit@redhat.com> September 23, 2013 3:38 AM One Time Password I've checked in the cordova otp <https://github.com/edewit/aerogear-otp-cordova> module it now supports Android and iOS, I've added a dependency on the barcode scanner plugin so that it is a complete package. There is one general |generate| method that will check if there is a secret stored if not it will fire up the barcode scanner to scan a secret and then store it. There are also separate methods that support these functions. On the android side I use SharedPreferences and for iOS NSUserDefaults to store the secret. Currently the project is under my own name don't know how to move it. As this is a security thing it would be great if others would take a look at because we want to be extra sure there is no obvious security hole in this. Cheers, Erik Jan _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev