Increase the security for when the keys are accessible on iOS

EddyVerbruggen / nativescript-secure-storage

:closed_lock_with_key: NativeScript plugin for secure local storage of fi. passwords

MIT License

111 stars 26 forks source link

Increase the security for when the keys are accessible on iOS #19

Closed PeterStaev closed 6 years ago

PeterStaev commented 6 years ago

From what I see from the code you use the default kSecAttrAccessibleAlwaysThisDeviceOnly. This is really not that secure since the data could be accessed even if the phone is restarted and/or locked. I think it is best to use kSecAttrAccessibleWhenUnlockedThisDeviceOnly. Or may be provide a way to customize the setting?

EddyVerbruggen commented 6 years ago

Good point. The drawback of kSecAttrAccessibleWhenUnlockedThisDeviceOnly seems to be that the app needs to be in the foreground. That may break certain apps.

Also, the current setting (kSecAttrAccessibleAlwaysThisDeviceOnly) prevents data migration from one device to the other (when you buy a new iPhone). That may be undesirable as well.

Making it configurable with all six-ish options iOS offers would be best, but for backward compatibility sake the current setting should be the default.

SonofNun15 commented 4 years ago

Any thoughts on how to apply this more secure kSecAttrAccessibleWhenUnlockedThisDeviceOnly for iOS devices only without breaking apps that also run on Android?

PeterStaev commented 4 years ago

@SonofNun15 , that's easy. When you initialize the SecureStorage you check and you send the parameter only if iOS. Something like this:

const ss = new SecureStorage(isIOS ? kSecAttrAccessibleWhenUnlockedThisDeviceOnly : undefined)

SonofNun15 commented 4 years ago

Thanks! I didn't know isIOS was a thing, still pretty new to NativeScript development. Appreciate the insight!