Post on 11-May-2015
description
Securing Client-Side Data
Andrew Duncan, Co-Founder, SwarmOnline
@andrewmduncanandrew@swarmonline.com
Monday, 23 September 13
Monday, 23 September 13
Why store client-side?
Monday, 23 September 13
Improve performance
Monday, 23 September 13
Make the app work o!ine
Monday, 23 September 13
Where can we store our Data?
Monday, 23 September 13
LocalStorage
Cookies WebSQL
IndexedDB
SessionStorage
Monday, 23 September 13
HTML5 Storage is not secure
Can we do something about that?
Monday, 23 September 13
HTML5 Storage and Security
- Not Encrypted
- It can’t be trusted
- Don’t store session identifiers
- Only cookies can use the httpOnly flag
- SessionStorage probably our best option
Monday, 23 September 13
JavaScript can help us... maybe
Monday, 23 September 13
Watch out for libraries not maintained by Cryptographers
Monday, 23 September 13
Crypto-JS
- Collection of Security Algorithms
- MD5, PBKDF2, AES etc...
- Easy to use
- https://code.google.com/p/crypto-js/
Monday, 23 September 13
Stanford JavaScript Crypto Library
- Stanford Javascript Crypto Library
- AES
- http://crypto.stanford.edu/sjcl/
Monday, 23 September 13
https://github.com/bitwiseshiftleft/sjcl/contributors
Still Maintained
Monday, 23 September 13
var encryptedData = sjcl.encrypt('Amsterdam', 'ModUXCon');
//"{// "iv": "/mx7CEihT3d7SOwwE7xrWA",// "v": 1,// "iter": 1000,// "ks": 128,// "ts": 64,// "mode": "ccm",// "adata": "",// "cipher": "aes",// "salt": "zWAyQczJww4",// "ct": "nyBREOy9jjrMbQARklcvJg"//}"
var data = sjcl.decrypt('Amsterdam', encryptedData);
//data = "ModUXCon"
Monday, 23 September 13
The users password is a good key, particularly when used with a key derivation
function.
Monday, 23 September 13
Override Ext.encode & Ext.decode
- Straightforward approach
- Useful if ALL JSON is encrypted
- Could also write your own extended functions
-Ext.JSON.encodeEncrypted()-Ext.JSON.decodeEncrypted()
Monday, 23 September 13
this.encode = function() { var ec; return function(o) { if (!ec) { // setup encoding function on first access ec = isNative() ? JSON.stringify : doEncode; } return ec(o); };}();
Monday, 23 September 13
this.encode = function() { var ec; return function(o) { if (!ec) { // setup encoding function on first access ec = isNative() ? JSON.stringify : doEncode; } return sjcl.encrypt('KEY', ec(o)); };}();
Monday, 23 September 13
this.decode = function() { var dc; return function(json, safe) { if (!dc) { // setup decoding function on first access dc = isNative() ? JSON.parse : doDecode; } try { return dc(json); } catch (e) { if (safe === true) { return null; } Ext.Error.raise({ sourceClass: "Ext.JSON", sourceMethod: "decode", msg: "You're trying to decode an invalid JSON String: " + json }); } };}();
Monday, 23 September 13
this.decode = function() { var dc; return function(json, safe) { if (!dc) { // setup decoding function on first access dc = isNative() ? JSON.parse : doDecode; } try { return sjcl.decrypt('KEY', dc(json)); } catch (e) { if (safe === true) { return null; } Ext.Error.raise({ sourceClass: "Ext.JSON", sourceMethod: "decode", msg: "You're trying to decode an invalid JSON String: " + json }); } };}();
Monday, 23 September 13
Overriding The Proxy
- Provides more flexibility
- Doesn’t have a knock-on effect across the rest of your app
- Not all Proxies use JSON (e.g. SQL)
Monday, 23 September 13
getRecord: function(id) { if (this.cache[id] === undefined) { var recordKey = this.getRecordKey(id), item = this.getStorageObject().getItem(recordKey), data = {}, Model = this.getModel(), fields = Model.getFields().items, length = fields.length, i, field, name, record, rawData, rawValue;
if (!item) { return undefined; }
rawData = Ext.decode(item);
... }
return this.cache[id];}
Monday, 23 September 13
getRecord: function(id) { if (this.cache[id] === undefined) { var recordKey = this.getRecordKey(id), item = this.getStorageObject().getItem(recordKey), data = {}, Model = this.getModel(), fields = Model.getFields().items, length = fields.length, i, field, name, record, rawData, rawValue;
if (!item) { return undefined; }
rawData = sjcl.decrypt('KEY', Ext.decode(item));
... }
return this.cache[id];}
Monday, 23 September 13
setRecord: function(record, id) { ...
try { obj.setItem(key, Ext.encode(data)); } catch(e){ this.fireEvent('exception', this, e); }
record.commit(); }
Monday, 23 September 13
setRecord: function(record, id) { ...
try { obj.setItem(key, sjcl.encrypt('KEY', Ext.encode(data))); } catch(e){ this.fireEvent('exception', this, e); }
record.commit(); }
Monday, 23 September 13
W3C Web Cryptography Working Group
Monday, 23 September 13
Hybrid App Containers
- Filesystem storage
- Data Storage Options
Monday, 23 September 13
PhoneGap- Hardware Encryption
- limited by platform
- Use SQLLite Plugin
- SQLCipher
- Open Source
- 256-bit encryption
- http://brodyspark.blogspot.co.uk/
- Don’t store the key - derive from users password
Monday, 23 September 13
RhoMobile
- Similar to PhoneGap
- Rhom Local Database
- SQLite Database
- SQLite Encryption Extension (SEE)
- All or nothing switch
Monday, 23 September 13
Sencha Space
- Secure data stores
- Secured LocalStorage
- Secure Files API
- Remove app access to make the data inaccessible
Monday, 23 September 13
Remote Wiping Data
- Use a mobile device management (MDM) suite
- AirWatch
- Soti MobiControl
- Sencha Space
Monday, 23 September 13
Questions?
Monday, 23 September 13