You are correct my friend.
@Erik for now I would say, move forward with the plan and let's make use
of AGSec 1.3.0 in the future, we will address this issue providing
interfaces for encryption
(
http://staging.aerogear.org/docs/planning/roadmaps/AeroGearSecurity/)
A second option would be: do not store the shared secret and let the
developers choose how they want to store it providing their own
encryption. Sorry I'm for my dumb-ish on Cordova, not sure if that's
possible.
Apostolos Emmanouilidis wrote:
Obviously, if the device is rooted, then the data in both storage
types is accessible to every asset with root privileges. In a such
case, encryption would be useful. However, taking into consideration
the purpose of OTP, I believe that this danger is acceptable and
encryption is too much to have in the Cordova plugin.
Our security gurus are more appropriate to answer such kind of
questions :)
--
abstractj