Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Client-Side Data

Andrew Duncan
September 19, 2013

Securing Client-Side Data

This session, presented at ModUX Con in Amsterdam, looked at what we need to consider when we want to store sensitive data on the client-side. We explored the mechanisms available to us and how we can use them to secure client-side data in our apps.

Andrew Duncan

September 19, 2013
Tweet

More Decks by Andrew Duncan

Other Decks in Programming

Transcript

  1. HTML5 Storage and Security -Not Encrypted -It can’t be trusted

    -Don’t store session identifiers -Only cookies can use the httpOnly flag -SessionStorage probably our best option Wednesday, 25 September 13
  2. Crypto-JS -Collection of Security Algorithms -MD5, PBKDF2, AES etc... -Easy

    to use -https://code.google.com/p/crypto-js/ Wednesday, 25 September 13
  3. var encryptedData = sjcl.encrypt('Amsterdam', 'ModUXCon'); //"{ // "iv": "/mx7CEihT3d7SOwwE7xrWA", //

    "v": 1, // "iter": 1000, // "ks": 128, // "ts": 64, // "mode": "ccm", // "adata": "", // "cipher": "aes", // "salt": "zWAyQczJww4", // "ct": "nyBREOy9jjrMbQARklcvJg" //}" var data = sjcl.decrypt('Amsterdam', encryptedData); //data = "ModUXCon" Wednesday, 25 September 13
  4. The users password is a good key, particularly when used

    with a key derivation function. Wednesday, 25 September 13
  5. Override Ext.encode & Ext.decode -Straightforward approach -Useful if ALL JSON

    is encrypted -Could also write your own extended functions -Ext.JSON.encodeEncrypted() -Ext.JSON.decodeEncrypted() Wednesday, 25 September 13
  6. this.encode = function() { var ec; return function(o) { if

    (!ec) { // setup encoding function on first access ec = isNative() ? JSON.stringify : doEncode; } return ec(o); }; }(); Wednesday, 25 September 13
  7. this.encode = function() { var ec; return function(o) { if

    (!ec) { // setup encoding function on first access ec = isNative() ? JSON.stringify : doEncode; } return sjcl.encrypt('KEY', ec(o)); }; }(); Wednesday, 25 September 13
  8. this.decode = function() { var dc; return function(json, safe) {

    if (!dc) { // setup decoding function on first access dc = isNative() ? JSON.parse : doDecode; } try { return dc(json); } catch (e) { if (safe === true) { return null; } Ext.Error.raise({ sourceClass: "Ext.JSON", sourceMethod: "decode", msg: "You're trying to decode an invalid JSON String: " + json }); } }; }(); Wednesday, 25 September 13
  9. this.decode = function() { var dc; return function(json, safe) {

    if (!dc) { // setup decoding function on first access dc = isNative() ? JSON.parse : doDecode; } try { return sjcl.decrypt('KEY', dc(json)); } catch (e) { if (safe === true) { return null; } Ext.Error.raise({ sourceClass: "Ext.JSON", sourceMethod: "decode", msg: "You're trying to decode an invalid JSON String: " + json }); } }; }(); Wednesday, 25 September 13
  10. Overriding The Proxy -Provides more flexibility -Doesn’t have a knock-on

    effect across the rest of your app -Not all Proxies use JSON (e.g. SQL) Wednesday, 25 September 13
  11. getRecord: function(id) { if (this.cache[id] === undefined) { var recordKey

    = this.getRecordKey(id), item = this.getStorageObject().getItem(recordKey), data = {}, Model = this.getModel(), fields = Model.getFields().items, length = fields.length, i, field, name, record, rawData, rawValue; if (!item) { return undefined; } rawData = Ext.decode(item); ... } return this.cache[id]; } Wednesday, 25 September 13
  12. getRecord: function(id) { if (this.cache[id] === undefined) { var recordKey

    = this.getRecordKey(id), item = this.getStorageObject().getItem(recordKey), data = {}, Model = this.getModel(), fields = Model.getFields().items, length = fields.length, i, field, name, record, rawData, rawValue; if (!item) { return undefined; } rawData = sjcl.decrypt('KEY', Ext.decode(item)); ... } return this.cache[id]; } Wednesday, 25 September 13
  13. setRecord: function(record, id) { ... try { obj.setItem(key, Ext.encode(data)); }

    catch(e){ this.fireEvent('exception', this, e); } record.commit(); } Wednesday, 25 September 13
  14. setRecord: function(record, id) { ... try { obj.setItem(key, sjcl.encrypt('KEY', Ext.encode(data)));

    } catch(e){ this.fireEvent('exception', this, e); } record.commit(); } Wednesday, 25 September 13
  15. PhoneGap - Hardware Encryption - limited by platform - Use

    SQLLite Plugin - SQLCipher - Open Source - 256-bit encryption - http://brodyspark.blogspot.co.uk/ - Don’t store the key - derive from users password Wednesday, 25 September 13
  16. RhoMobile -Similar to PhoneGap -Rhom Local Database -SQLite Database -SQLite

    Encryption Extension (SEE) -All or nothing switch Wednesday, 25 September 13
  17. Sencha Space -Secure data stores -Secured LocalStorage -Secure Files API

    -Remove app access to make the data inaccessible Wednesday, 25 September 13
  18. Remote Wiping Data -Use a mobile device management (MDM) suite

    -AirWatch -Soti MobiControl -Sencha Space Wednesday, 25 September 13