Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Client-Side Data

6d0ac0a0024c8bb4ba9cb3eefaabc3f2?s=47 Andrew Duncan
September 19, 2013

Securing Client-Side Data

This session, presented at ModUX Con in Amsterdam, looked at what we need to consider when we want to store sensitive data on the client-side. We explored the mechanisms available to us and how we can use them to secure client-side data in our apps.

6d0ac0a0024c8bb4ba9cb3eefaabc3f2?s=128

Andrew Duncan

September 19, 2013
Tweet

More Decks by Andrew Duncan

Other Decks in Programming

Transcript

  1. Securing Client-Side Data Andrew Duncan, Co-Founder, SwarmOnline @andrewmduncan andrew@swarmonline.com Wednesday,

    25 September 13
  2. Wednesday, 25 September 13

  3. Why store client-side? Wednesday, 25 September 13

  4. Improve performance Wednesday, 25 September 13

  5. Make the app work o ine Wednesday, 25 September 13

  6. Where can we store our Data? Wednesday, 25 September 13

  7. LocalStorage Cookies WebSQL IndexedDB SessionStorage Wednesday, 25 September 13

  8. HTML5 Storage is not secure Can we do something about

    that? Wednesday, 25 September 13
  9. HTML5 Storage and Security -Not Encrypted -It can’t be trusted

    -Don’t store session identifiers -Only cookies can use the httpOnly flag -SessionStorage probably our best option Wednesday, 25 September 13
  10. JavaScript can help us... maybe Wednesday, 25 September 13

  11. Watch out for libraries not maintained by Cryptographers Wednesday, 25

    September 13
  12. Crypto-JS -Collection of Security Algorithms -MD5, PBKDF2, AES etc... -Easy

    to use -https://code.google.com/p/crypto-js/ Wednesday, 25 September 13
  13. Stanford JavaScript Crypto Library -Stanford Javascript Crypto Library -AES -http://crypto.stanford.edu/sjcl/

    Wednesday, 25 September 13
  14. https://github.com/bitwiseshiftleft/sjcl/contributors Still Maintained Wednesday, 25 September 13

  15. var encryptedData = sjcl.encrypt('Amsterdam', 'ModUXCon'); //"{ // "iv": "/mx7CEihT3d7SOwwE7xrWA", //

    "v": 1, // "iter": 1000, // "ks": 128, // "ts": 64, // "mode": "ccm", // "adata": "", // "cipher": "aes", // "salt": "zWAyQczJww4", // "ct": "nyBREOy9jjrMbQARklcvJg" //}" var data = sjcl.decrypt('Amsterdam', encryptedData); //data = "ModUXCon" Wednesday, 25 September 13
  16. The users password is a good key, particularly when used

    with a key derivation function. Wednesday, 25 September 13
  17. Override Ext.encode & Ext.decode -Straightforward approach -Useful if ALL JSON

    is encrypted -Could also write your own extended functions -Ext.JSON.encodeEncrypted() -Ext.JSON.decodeEncrypted() Wednesday, 25 September 13
  18. this.encode = function() { var ec; return function(o) { if

    (!ec) { // setup encoding function on first access ec = isNative() ? JSON.stringify : doEncode; } return ec(o); }; }(); Wednesday, 25 September 13
  19. this.encode = function() { var ec; return function(o) { if

    (!ec) { // setup encoding function on first access ec = isNative() ? JSON.stringify : doEncode; } return sjcl.encrypt('KEY', ec(o)); }; }(); Wednesday, 25 September 13
  20. this.decode = function() { var dc; return function(json, safe) {

    if (!dc) { // setup decoding function on first access dc = isNative() ? JSON.parse : doDecode; } try { return dc(json); } catch (e) { if (safe === true) { return null; } Ext.Error.raise({ sourceClass: "Ext.JSON", sourceMethod: "decode", msg: "You're trying to decode an invalid JSON String: " + json }); } }; }(); Wednesday, 25 September 13
  21. this.decode = function() { var dc; return function(json, safe) {

    if (!dc) { // setup decoding function on first access dc = isNative() ? JSON.parse : doDecode; } try { return sjcl.decrypt('KEY', dc(json)); } catch (e) { if (safe === true) { return null; } Ext.Error.raise({ sourceClass: "Ext.JSON", sourceMethod: "decode", msg: "You're trying to decode an invalid JSON String: " + json }); } }; }(); Wednesday, 25 September 13
  22. Overriding The Proxy -Provides more flexibility -Doesn’t have a knock-on

    effect across the rest of your app -Not all Proxies use JSON (e.g. SQL) Wednesday, 25 September 13
  23. getRecord: function(id) { if (this.cache[id] === undefined) { var recordKey

    = this.getRecordKey(id), item = this.getStorageObject().getItem(recordKey), data = {}, Model = this.getModel(), fields = Model.getFields().items, length = fields.length, i, field, name, record, rawData, rawValue; if (!item) { return undefined; } rawData = Ext.decode(item); ... } return this.cache[id]; } Wednesday, 25 September 13
  24. getRecord: function(id) { if (this.cache[id] === undefined) { var recordKey

    = this.getRecordKey(id), item = this.getStorageObject().getItem(recordKey), data = {}, Model = this.getModel(), fields = Model.getFields().items, length = fields.length, i, field, name, record, rawData, rawValue; if (!item) { return undefined; } rawData = sjcl.decrypt('KEY', Ext.decode(item)); ... } return this.cache[id]; } Wednesday, 25 September 13
  25. setRecord: function(record, id) { ... try { obj.setItem(key, Ext.encode(data)); }

    catch(e){ this.fireEvent('exception', this, e); } record.commit(); } Wednesday, 25 September 13
  26. setRecord: function(record, id) { ... try { obj.setItem(key, sjcl.encrypt('KEY', Ext.encode(data)));

    } catch(e){ this.fireEvent('exception', this, e); } record.commit(); } Wednesday, 25 September 13
  27. W3C Web Cryptography Working Group Wednesday, 25 September 13

  28. Hybrid App Containers -Filesystem storage -Data Storage Options Wednesday, 25

    September 13
  29. PhoneGap - Hardware Encryption - limited by platform - Use

    SQLLite Plugin - SQLCipher - Open Source - 256-bit encryption - http://brodyspark.blogspot.co.uk/ - Don’t store the key - derive from users password Wednesday, 25 September 13
  30. RhoMobile -Similar to PhoneGap -Rhom Local Database -SQLite Database -SQLite

    Encryption Extension (SEE) -All or nothing switch Wednesday, 25 September 13
  31. Sencha Space -Secure data stores -Secured LocalStorage -Secure Files API

    -Remove app access to make the data inaccessible Wednesday, 25 September 13
  32. Remote Wiping Data -Use a mobile device management (MDM) suite

    -AirWatch -Soti MobiControl -Sencha Space Wednesday, 25 September 13
  33. Questions? Wednesday, 25 September 13