Securing Client-Side Data Andrew Duncan, Co-Founder, SwarmOnline @andrewmduncan andrew@swarmonline.com Wednesday, 25 September 13

Wednesday, 25 September 13

Why store client-side? Wednesday, 25 September 13

Improve performance Wednesday, 25 September 13

Make the app work o ine Wednesday, 25 September 13

Where can we store our Data? Wednesday, 25 September 13

LocalStorage Cookies WebSQL IndexedDB SessionStorage Wednesday, 25 September 13

HTML5 Storage is not secure Can we do something about that? Wednesday, 25 September 13

HTML5 Storage and Security -Not Encrypted -It can’t be trusted -Don’t store session identifiers -Only cookies can use the httpOnly flag -SessionStorage probably our best option Wednesday, 25 September 13

JavaScript can help us... maybe Wednesday, 25 September 13

Watch out for libraries not maintained by Cryptographers Wednesday, 25 September 13

Crypto-JS -Collection of Security Algorithms -MD5, PBKDF2, AES etc... -Easy to use -https://code.google.com/p/crypto-js/ Wednesday, 25 September 13

Stanford JavaScript Crypto Library -Stanford Javascript Crypto Library -AES -http://crypto.stanford.edu/sjcl/ Wednesday, 25 September 13

https://github.com/bitwiseshiftleft/sjcl/contributors Still Maintained Wednesday, 25 September 13

var encryptedData = sjcl.encrypt('Amsterdam', 'ModUXCon'); //"{ // "iv": "/mx7CEihT3d7SOwwE7xrWA", // "v": 1, // "iter": 1000, // "ks": 128, // "ts": 64, // "mode": "ccm", // "adata": "", // "cipher": "aes", // "salt": "zWAyQczJww4", // "ct": "nyBREOy9jjrMbQARklcvJg" //}" var data = sjcl.decrypt('Amsterdam', encryptedData); //data = "ModUXCon" Wednesday, 25 September 13

The users password is a good key, particularly when used with a key derivation function. Wednesday, 25 September 13

Override Ext.encode & Ext.decode -Straightforward approach -Useful if ALL JSON is encrypted -Could also write your own extended functions -Ext.JSON.encodeEncrypted() -Ext.JSON.decodeEncrypted() Wednesday, 25 September 13

this.encode = function() { var ec; return function(o) { if (!ec) { // setup encoding function on first access ec = isNative() ? JSON.stringify : doEncode; } return ec(o); }; }(); Wednesday, 25 September 13

this.encode = function() { var ec; return function(o) { if (!ec) { // setup encoding function on first access ec = isNative() ? JSON.stringify : doEncode; } return sjcl.encrypt('KEY', ec(o)); }; }(); Wednesday, 25 September 13

this.decode = function() { var dc; return function(json, safe) { if (!dc) { // setup decoding function on first access dc = isNative() ? JSON.parse : doDecode; } try { return dc(json); } catch (e) { if (safe === true) { return null; } Ext.Error.raise({ sourceClass: "Ext.JSON", sourceMethod: "decode", msg: "You're trying to decode an invalid JSON String: " + json }); } }; }(); Wednesday, 25 September 13

this.decode = function() { var dc; return function(json, safe) { if (!dc) { // setup decoding function on first access dc = isNative() ? JSON.parse : doDecode; } try { return sjcl.decrypt('KEY', dc(json)); } catch (e) { if (safe === true) { return null; } Ext.Error.raise({ sourceClass: "Ext.JSON", sourceMethod: "decode", msg: "You're trying to decode an invalid JSON String: " + json }); } }; }(); Wednesday, 25 September 13

Overriding The Proxy -Provides more flexibility -Doesn’t have a knock-on effect across the rest of your app -Not all Proxies use JSON (e.g. SQL) Wednesday, 25 September 13

getRecord: function(id) { if (this.cache[id] === undefined) { var recordKey = this.getRecordKey(id), item = this.getStorageObject().getItem(recordKey), data = {}, Model = this.getModel(), fields = Model.getFields().items, length = fields.length, i, field, name, record, rawData, rawValue; if (!item) { return undefined; } rawData = Ext.decode(item); ... } return this.cache[id]; } Wednesday, 25 September 13

getRecord: function(id) { if (this.cache[id] === undefined) { var recordKey = this.getRecordKey(id), item = this.getStorageObject().getItem(recordKey), data = {}, Model = this.getModel(), fields = Model.getFields().items, length = fields.length, i, field, name, record, rawData, rawValue; if (!item) { return undefined; } rawData = sjcl.decrypt('KEY', Ext.decode(item)); ... } return this.cache[id]; } Wednesday, 25 September 13

setRecord: function(record, id) { ... try { obj.setItem(key, Ext.encode(data)); } catch(e){ this.fireEvent('exception', this, e); } record.commit(); } Wednesday, 25 September 13

setRecord: function(record, id) { ... try { obj.setItem(key, sjcl.encrypt('KEY', Ext.encode(data))); } catch(e){ this.fireEvent('exception', this, e); } record.commit(); } Wednesday, 25 September 13

W3C Web Cryptography Working Group Wednesday, 25 September 13

Hybrid App Containers -Filesystem storage -Data Storage Options Wednesday, 25 September 13

PhoneGap - Hardware Encryption - limited by platform - Use SQLLite Plugin - SQLCipher - Open Source - 256-bit encryption - http://brodyspark.blogspot.co.uk/ - Don’t store the key - derive from users password Wednesday, 25 September 13

RhoMobile -Similar to PhoneGap -Rhom Local Database -SQLite Database -SQLite Encryption Extension (SEE) -All or nothing switch Wednesday, 25 September 13

Sencha Space -Secure data stores -Secured LocalStorage -Secure Files API -Remove app access to make the data inaccessible Wednesday, 25 September 13

Remote Wiping Data -Use a mobile device management (MDM) suite -AirWatch -Soti MobiControl -Sencha Space Wednesday, 25 September 13

Questions? Wednesday, 25 September 13