[aerogear-dev] One Time Password Cordova

Bruno Oliveira bruno at abstractj.org
Tue Sep 24 09:08:37 EDT 2013 

Nothing critical, go for it.

> Erik Jan de Wit <mailto:edewit at redhat.com>
> September 24, 2013 9:59 AM
> Hi
>
> Is it really a problem that the secret could be extracted from the phone if you root it? I've just checked but the google authenticator app on my android also doesn't encrypt the secret and puts it into a sqllite database. An attacker would still need to know your username and password and you could generate a new secret or invalidate the old one once your phone has been stolen.
>
> On 24 Sep,2013, at 14:50 , Bruno Oliveira <bruno at abstractj.org> wrote:
>
>> You are correct my friend.
>>
>> @Erik for now I would say, move forward with the plan and let's make use
>> of AGSec 1.3.0 in the future, we will address this issue providing
>> interfaces for encryption
>> (http://staging.aerogear.org/docs/planning/roadmaps/AeroGearSecurity/)
>
> Yeah if we have a good way to encrypt it why not use it… 
>
>> A second option would be: do not store the shared secret and let the
>> developers choose how they want to store it providing their own
>> encryption. Sorry I'm for my dumb-ish on Cordova, not sure if that's
>> possible.
>
> Yes that is possible right now.
>
>> Apostolos Emmanouilidis wrote:
>>> Obviously, if the device is rooted, then the data in both storage
>>> types is accessible to every asset with root privileges. In a such
>>> case, encryption would be useful. However, taking into consideration
>>> the purpose of OTP, I believe that this danger is acceptable and
>>> encryption is too much to have in the Cordova plugin.
>>>
>>> Our security gurus are more appropriate to answer such kind of
>>> questions :)
>> -- 
>> abstractj
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
> Apostolos Emmanouilidis <mailto:aemmanou at redhat.com>
> September 24, 2013 5:27 AM
> Regarding the Android part, I've seen famous Android OTP
> authenticators using the SQLite storage. In my opinion SQLite and
> SharedPreferences have the same security level. In both cases the data
> is stored within the applications directory on the mobile device file
> system. An SQLite database is accessible by all the classes inside the
> specific application and is not accessible outside the application.
> The SharedPreferences data is stored in an un-encrypted XML file which
> is by default accessible only to the specific application. So the
> decision on whether to use the SQLite or SharedPreferences option is
> mostly based on the amount of data and performance reasons.
>
> Obviously, if the device is rooted, then the data in both storage
> types is accessible to every asset with root privileges. In a such
> case, encryption would be useful. However, taking into consideration
> the purpose of OTP, I believe that this danger is acceptable and
> encryption is too much to have in the Cordova plugin.
>
> Our security gurus are more appropriate to answer such kind of
> questions :)
>
>
> On Tue, 2013-09-24 at 08:12 +0200, Erik Jan de Wit wrote:
>> The secret is scanned with the barcode scanner and stored in
>> SharedPreferences on Android and NSUserDefaults on iOS. 
>>
>> On 24 Sep,2013, at 4:41 , "Bruno Oliveira" <bruno at abstractj.org
>> <mailto:bruno at abstractj.org>> wrote: 
>>
>>> Hi Erik,  
>>>
>>>
>>> How the shared secret is being retrieved? And how do you store it? 
>>>
>>>
>>>
>>>>>> abstractj 
>>>
>>> On Mon, Sep 23, 2013 at 3:38 AM, Erik Jan de Wit
>>> <edewit at redhat.com="mailto:edewit at redhat.com">> wrote:
>>>
>>>
>>>     As this is a security thing it would be great if others would
>>>     take a look at because we want to be extra sure there is no
>>>     obvious security hole in this.
>>>
>>>     Cheers, Erik Jan
>>>
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev 
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org <mailto:aerogear-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
> Erik Jan de Wit <mailto:edewit at redhat.com>
> September 24, 2013 3:12 AM
> The secret is scanned with the barcode scanner and stored in
> SharedPreferences on Android and NSUserDefaults on iOS.
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
> Bruno Oliveira <mailto:bruno at abstractj.org>
> September 23, 2013 11:41 PM
> Hi Erik, 
>
> How the shared secret is being retrieved? And how do you store it?
>
>
>
>> abstractj
>
> On Mon, Sep 23, 2013 at 3:38 AM, Erik Jan de Wit
> <edewit at redhat.com="mailto:edewit at redhat.com">> wrote:
> Erik Jan de Wit <mailto:edewit at redhat.com>
> September 23, 2013 3:38 AM
>
>
>     One Time Password
>
> I've checked in the cordova otp
> <https://github.com/edewit/aerogear-otp-cordova> module it now
> supports Android and iOS, I've added a dependency on the barcode
> scanner plugin so that it is a complete package. There is one
> general |generate| method that will check if there is a secret stored
> if not it will fire up the barcode scanner to scan a secret and then
> store it. There are also separate methods that support these functions.
>
> On the android side I use SharedPreferences and for iOS NSUserDefaults
> to store the secret. Currently the project is under my own name don't
> know how to move it.
>
> As this is a security thing it would be great if others would take a
> look at because we want to be extra sure there is no obvious security
> hole in this.
>
> Cheers, Erik Jan
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

-- 
abstractj


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130924/13f9e5ff/attachment.bin

More information about the aerogear-dev mailing list