Re: [aerogear-dev] One Time Password Cordova
Hi
Is it really a problem that the secret could be extracted from the phone if you root it?
I've just checked but the google authenticator app on my android also doesn't
encrypt the secret and puts it into a sqllite database. An attacker would still need to
know your username and password and you could generate a new secret or invalidate the old
one once your phone has been stolen.
On 24 Sep,2013, at 14:50 , Bruno Oliveira <bruno(a)abstractj.org> wrote:
You are correct my friend.
@Erik for now I would say, move forward with the plan and let's make use
of AGSec 1.3.0 in the future, we will address this issue providing
interfaces for encryption
(http://staging.aerogear.org/docs/planning/roadmaps/AeroGearSecurity/)
Yeah if we have a good way to encrypt it why not use it…
A second option would be: do not store the shared secret and let the
developers choose how they want to store it providing their own
encryption. Sorry I'm for my dumb-ish on Cordova, not sure if that's
possible.
Yes that is possible right now.
Apostolos Emmanouilidis wrote:
> Obviously, if the device is rooted, then the data in both storage
> types is accessible to every asset with root privileges. In a such
> case, encryption would be useful. However, taking into consideration
> the purpose of OTP, I believe that this danger is acceptable and
> encryption is too much to have in the Cordova plugin.
>
> Our security gurus are more appropriate to answer such kind of
> questions :)
--
abstractj
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev