Regarding the Android part, I've seen famous Android OTP authenticators using the SQLite storage. In my opinion SQLite and SharedPreferences have the same security level. In both cases the data is stored within the applications directory on the mobile device file system. An SQLite database is accessible by all the classes inside the specific application and is not accessible outside the application. The SharedPreferences data is stored in an un-encrypted XML file which is by default accessible only to the specific application. So the decision on whether to use the SQLite or SharedPreferences option is mostly based on the amount of data and performance reasons.

Obviously, if the device is rooted, then the data in both storage types is accessible to every asset with root privileges. In a such case, encryption would be useful. However, taking into consideration the purpose of OTP, I believe that this danger is acceptable and encryption is too much to have in the Cordova plugin.

Our security gurus are more appropriate to answer such kind of questions :)

On Tue, 2013-09-24 at 08:12 +0200, Erik Jan de Wit wrote:

The secret is scanned with the barcode scanner and stored in SharedPreferences on Android and NSUserDefaults on iOS.

On 24 Sep,2013, at 4:41 , "Bruno Oliveira" <bruno@abstractj.org> wrote:

Hi Erik,

How the shared secret is being retrieved? And how do you store it?

—
abstractj

On Mon, Sep 23, 2013 at 3:38 AM, Erik Jan de Wit <edewit@redhat.com="mailto:edewit@redhat.com">> wrote:

As this is a security thing it would be great if others would take a look at because we want to be extra sure there is no obvious security hole in this.

Cheers, Erik Jan

_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev

_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev