Authentication on Sencha Touch and remote Server - javascript

I would like to have your feedback regarding Authentication mechanism for an Application using PhoneGap and Sencha Touch and a Server in .NET with Active Directory.
So we need to store User credentials on the Mobile Device so a User does not have to re-enter Login and Psw, every time he wish to use the application.
01 - IDEA - Cookies
For my understanding Sencha Touch does not have directly any libraries for managing Cookies.
In order to use cookies I should install "Sencha Ext Js" the base library for Sencha and using
Ext.util.Cookies class. This library it should not be free.
I'm afraid to still have problem with CROS domains regarding working with cookies and IOS security issue.
Also Phonegap does not provide any cookie abstraction, as there are plenty of other tools to do that already (Phonegap just wraps up smartphone functionality, not basic browser functionality).
I could use potenticalyy jQuery, and maybe try jquery-cookie plugin.
02 - IDEA - HTML5 Local Storage
Sencha Touch offer an API for HTML5 Local Storage, so instead to write a cookie, I could save the credential in the Local Storage.
Local data should be kept by the browser for an undefined ammount if time even if the device is turned off.
When a user click the app, I can take the Local Data and sending to the server, the server will authenticate the user.
Despite of the mechanism I have an issue with security.
A)
- Istore the UserName and Pasword as plain text, in a Cookie or in Local Storage and forward to the server.
no encryption is involved, the authenication should work. Cons: It is very easy to read the Cookies and the Local Storage so it is not the state of art for security.
B)
- I store the UserName as plain text and instead for the Pasword I store a "Forms authentication tickets" in a Cookie or in Local Storage and forward to the server.
Ecryption on the server is involved for the "Forms authentication tickets". PRO: High security, CONS: Take time to develope it.
NOTE: Security, the Tickets are encrypted using configuration element of the server's Machine.config file.
My question:
Do you have any experience on of of this scenario?
Do you have a better approach?

Some days ago I have posted Simple Login project to github, you may found it helpful. It works in Webkit browser & on iPhone. Android was not tested.

Related

The best way to store "app secret" in a mobile web application?

I want to develop a "responsive mobile web application (iOS / Android)" with JavaScript to interact with Smart Contract and blockchain.
I decided to develop a hybrid mobile web application. However, the question is how to store the App Secret safe in case of developing a mobile web application with JavaScript ? Since, we do not want to store it in the mobile and blockchain because of security.
I want to develop a "responsive mobile web application (iOS / Android)" with JavaScript to interact with Smart Contract and blockchain.
Is not clear for me if you are referring to write the Mobile Application as a web site that is full responsive in mobile or if you are considering to write it using a framework like Ionic, React Native or others.
If is a responsive website than please ignore the rest of my answer once there is no secure way of securing secrets on them, as far as I am aware.
Now if is a cross platform Mobile App done with any of the many available frameworks, than keep reading because a possible solution exists to solve the problem of secrets on them.
However, the question is how to store the App Secret safe in case of developing a mobile web application with JavaScript ?
Anything running on the client side will be vulnerable to reverse engineering with tools like Xposed or Frida.
Since, we do not want to store it in the mobile and blockchain because of security.
As already pointed out by you the Mobile or Blockchain are not good places to store the App Secret.
A Possible Solution
To harden the communication between your Mobile App and the API server you should use a Mobile App Attestation service, that will guarantee at run-time that your App was not modified or is not running in a jail broken or rooted device, by using an SDK integrated in you App and a service running in the cloud.
The cloud service on successful attestation of the App integrity issues a JWT token that is signed with a secret that only the API server and the cloud service are aware and on failure the JWT token is signed with a fake secret that the API server does not know. This approach will allow for the API server to only serve requests when it can verify the signature in the JWT token and refuse them when it fails the verification.
Once the secret used by the cloud attestation service is not known by the Mobile App it is not possible to reverse engineer it at run-time, even when the App is tampered, running in a rooted device or communicating over a connection that is being the target of a Man in the Middle Attack.
On this article you can walk through example of how a Mobile App Attestation service in the cloud is used to authenticate a React Native App.
Disclaimer: I work at Approov
Xposed
Xposed is a framework for modules that can change the behavior of the system and apps without touching any APKs. That's great because it means that modules can work for different versions and even ROMs without any changes (as long as the original code was not changed too much). It's also easy to undo. As all changes are done in the memory, you just need to deactivate the module and reboot to get your original system back. There are many other advantages, but here is just one more: Multiple modules can do changes to the same part of the system or app. With modified APKs, you to decide for one. No way to combine them, unless the author builds multiple APKs with different combinations.
Frida
Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
JWT Token
Token Based Authentication
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.

localStorage encryption algorithms

I am using localStorage to store token values and other basic user details for an offline mechanism in an Ionic application. localStorage is not a secure way to store sensitive data. Is there any plugin or any other way to store such data so that it is protected? I am targeting all three platforms, Windows Phone, iOS, and Android.
I came across a cordova plugin called secured storage plugin for this. I hope this should do the trick for you as it keeps the data secured.

How to store credentials in an Outlook Add-in

I'm looking for the correct, secure way to store credentials for a third party API in an Outlook add-in. This overview of the different storage options only says not to store credentials in Settings, but not where to put them, so I assumed the RoamingSettings would be okay. Then I ran into this page with information about RoamingSettings, where it says that is not the right location either.
The question then becomes: What is the right place? Should I build my own storage solution and store/encrypt the credentials in a file or cookie? That does not feel very secure either, since we are talking about what is basically a web app running in an Iframe.
I assume you cannot implement another authorization scheme (token based, cookies etc.) for your API and you are stuck with Basic Authentication and its issues. If you are using ASP.NET, with all the samples available it could be very easy to add another authentication scheme that is more adapted to web clients (such as Office web add-ins).
Having said that, for me your best option is to use HTML5 storage or cookie storage (if not implemented by browser) to store your credentials.
The fact that the app is iFramed is not really a big deal. Those storages (HTML5: sessionStorage/localStorage) rely on domains separation which means that the storage slots where you will put the credentials will not be be visible by other apps, even those living on the parent iFrame.
You may also consider the fact that you may serve the web add-ins and the apis from the same domain. They are both web applications!
You can do what Outlook itself does for its POP3/SMTP/IMAP4 passwords - use CredRead / CredWrite Windows API functions. The data can only be decrypted under the local Windows account used to encrypt the data, so it cannot be take to a different machine and decrypted.
I don't think you can access these functions from JavaScript. This is for an OWA addin, not the Outlook application, is it?

Does Firebase JavaScript API catch-up with server when re-connected

I have a question about Firebase's offline capabilities for JavaScript. Specifically, I am wondering if one were to lose connection while filling out a form on a web application (powered by firebase, obviously), and then try to send that form, would it perform a write operation to the local database, and then catch up with the server when connection is re-established, or would that data be lost? If this is a yes, I am assuming that it does not matter if the user exits out of the page, as long as the form as sent.
I know that it offers tremendous disk persistence for its iOS and Android SDKs, however I am just trying to get a better handle on how this can help in JavaScript. I am aware of the onDisconnectclass, and that it should mainly be used to manage the presence of a users as well - Just has this on mind for a while!
Thanks !
Firebase supports two types of offline mode:
in case of intermittent loss of connectivity, the client will keep serving events from the local data and any writes will be queued. When the connection is restored, all writes are sent to the server and any stale data is resynchronized. We often call this "tunnel mode".
The mobile native (iOS and Android) clients can be configured through their API to store all data on the local disk. In case of prolonged loss of connectivity, these clients will then queue writes on disk too. The client will also be able to serve data from this disk cache, when the app is restarted. This one we often call "airplane mode".
Tunnel mode is available in all Firebase SDKs. Airplane mode is only available in Firebase's native mobile SDKs for Android and iOS.

How store access keys on BB10 Webworks

I am using twitter oAuth in a app, each time of app starts asking for authorisation, but I want a single time authentication to use timeline and other things for that I want to store access tokens, How is it possible.
Thanks in advance..! :)
I use localStorage for this. There's a simple guide with samples here: http://www.smashingmagazine.com/2010/10/11/local-storage-and-how-to-use-it/
On other platforms (Android), I wouldn't recommend this since the app's sandbox can be easily compromised on some devices. On BB10 though, the app file can't be obtained by rooting the device (since it is secure) and the sandbox can't be compromised. If you're extra worried about security, run the token through an algorithm to 'encrypt' the token before saving it to localStorage. Since the code in your app can't be compromised (again, secure platform), that algorithm is safe and secret.
Also, BB10 affords you 25 MB of space in localStorage, which makes it a really nice container for dynamic things. Local Storage will persist when you close the app and open it.
Again, this is not a best practice for all platforms, since on some platforms the app or it's sandbox can be compromised such that someone could get your API keys or tokens just by extracting your app file. But it should be safe on BB10.
Good luck!
John
Note, response is my own and is not endorsed by my employer.

Categories