[aerogear-dev] One Time Password Cordova
Bruno Oliveira
bruno at abstractj.org
Tue Sep 24 08:50:23 EDT 2013
You are correct my friend.
@Erik for now I would say, move forward with the plan and let's make use
of AGSec 1.3.0 in the future, we will address this issue providing
interfaces for encryption
(http://staging.aerogear.org/docs/planning/roadmaps/AeroGearSecurity/)
A second option would be: do not store the shared secret and let the
developers choose how they want to store it providing their own
encryption. Sorry I'm for my dumb-ish on Cordova, not sure if that's
possible.
Apostolos Emmanouilidis wrote:
> Obviously, if the device is rooted, then the data in both storage
> types is accessible to every asset with root privileges. In a such
> case, encryption would be useful. However, taking into consideration
> the purpose of OTP, I believe that this danger is acceptable and
> encryption is too much to have in the Cordova plugin.
>
> Our security gurus are more appropriate to answer such kind of
> questions :)
--
abstractj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130924/b0646a68/attachment.bin
More information about the aerogear-dev
mailing list