I'm building an app on Phonegap (iOS and Android). Users sign up and then they can write private notes.
When they launch the app, they have to sign in on the remote server, there's the sync between remote and local (encrypted with user's password) db and then they can view their notes from local db.
The problem is: I want to ask them for the password only once, not every note they want to read.
Is there a way to safely share db's password between webviews, so that I can initialize on every page the encrypted websql db?
Alternatively, is there a way to initialize only once the encrypted db and to access it from different webviews?
Thanks a lot
Late answer. But if it helps someone.
If it's really necessary then an encryption decryption can be performed inside the app. Before saving the password in database like websql you can perform an encryption with your custom way and decrypt password with js after retrieval. This way your password is safe in database. Though as grant mentioned, there is no need for it in mobile device.
Related
I need to add a password reset part to my application but in my application user's email and password store in the realtime database not in the authentication database. Like this:
Actually I do not care about security so I just built this for my education purpose. Can you give me any tutorial or example that I can follow to code the reset password part?
Should be relatively simple to do.
Video here on it
https://www.youtube.com/watch?v=0-DRdI_xpvQ
However, please do not store passwords as raw text data. It is insecure and not good practice. Sure its fine for demo applications but you should store them using some kind of encoding/encryption/hashing.
Well, the Firebase authenticator has a function to reset the password via email, if you want to try with that one.
If you want to stay just with realtime DB my suggestion is to update that value for that specific user Google Firebase Documentation for that
I am integrating log in in my app. There is a requirement for log in without internet connection. Means first time when user gets login there will be a web service call for log in authentication but next time the web service call should not be needed it should authenticate from local db of device. First time on log in response I am saving user credentials in local db (means device db using sqlite) and for rest of the attempts I am matching credentials from local db for authentication. For authentication, password is a plan text in local db and I am matching plan passwords. It this good idea/approach to match password as a plan text or I am supposed to be using any encryption? If encryption is required so why is it needed so. I mean when db file is stored internally no one can fetch password.So why encryption is needed?
Never ever store passwords in plain text anywhere. Event when it's local and nobody has access to it.
The better approach is storing it using a hashing algorithm along with salt so the if password is leaked somewhere, no harm should come of it.
You can then hash the input password with the same algorithm and verify it with one you have previously stored.
Here are some links to get you started on hashing:
https://crackstation.net/hashing-security.htm
http://howtodoinjava.com/security/how-to-generate-secure-password-hash-md5-sha-pbkdf2-bcrypt-examples/
We have an Android application which stores its data in a local SQLite database; primarily for performance, but also to allow for working off-line (as we are often in areas with low signal).
At the moment, the data is stored in encrypted format (passed down from our web servers), but this in itself causes a performance issue, where for example, if we want to search records for a particular "surname", we need to decrypt ALL of the data, rather than using a straight SQL query, to include where surname='Smith'
We cannot (as it currently stands) store the data in a more friendly 'open-format', as it's possible to 'root' the device, take a copy of the MySQL database, open it and read the data.
Is there the means (perhaps someone can provide an example) to either password protect the local SQLite database or somehow apply encryption, so that we can (from an application perspective) have the database available in open format, but so that if any would-be hacker got hold of the device and rooted it ... they would have a hard time reading our data?
I have searched for a suitable solution and cannot find any options for the SQLite database, any 3rd party software or any examples of code that do this.
SqlCipher, this will might work in your case
Remote Storage:
Your data is sensitive and needs to be accessed by the user on the go from different devices. If your app is a good one then the above line will hold true.
Security + Remote access from any device says you maintain your dB on a remote server.
Your flow can be :
User login --> Token --> Auth Token in every call --> Process request and get/put data in/from dB
Local Storage:
Let's say that you only want to store data locally and don't want to store it on the server. For this you can use public-key cryptography
You can use a public Key in your app to encrypt the data and store it. Now, you want to access the data. Request the private key from the server and decrypt it.
Again, to get access to private key you should use some form of authorization (or anyone can access your key).
Without the private key, even if a hacker roots the phone and gets his/her hands on the dB, the data would be useless.
so i have an app which connects to a remote database (on the web) using JSON, it contains some user info including passwords, and i was wondering what is the best practice to encrypt the user password so that they can safely be stored to a database
SHA1 should be good unless youre doing something important
I am building a android application within flash builder, that will allow clients to use and access the database within the application, but blocking outside.
The case is to take an encrypted database(to stop client from accessing the information, outside the application), a password (to be hidden from the client) and upload it to a server. Of which the server will be able to use this password to decrypt the database, then I plan to use PHP to manipulate the data.
What would be the best possible way to securely pass the SQLite database and the password in the upload phase?
Use HTTPS for communicating with your server. That will automatically encrypt all traffic. Also keep in mind, that if the client (user) can access the data from the application, and the data is on the device, there is little you can do to keep them from copying and accessing the data outside of your app. As long as the password/encryption key is also on the device, all it will achieve is slow them down a bit.
Create a http API that your application will use. This API will enforce which operations are possible. So the client never sees the DB password, encrypted or not.
I don't really get what you're encrypting the db for. Are you trying to protect against the case where the server gets hacked?
Now other applications will be able to use this API, and it's impossible to stop them. You can just throw as much obfuscation at it as possible, and hope that crackers are too lazy.