Store files localy in browser database

[GoogleCodeExporter]

It is not safe to have certfile on /mnt/sdcard.
Idea is to store file in browser database.

There would be check-box on input form (certfile/password)
if you like to store it locally.

By default this check-box would be unchecked.
Also if you later uncheck it, it would perform delete from database.

Do you like this idea or it is no matter to you?
I will implement it if there is any need for it.

Original issue reported on code.google.com by supp.san...@gmail.com on 13 Apr 2011 at 12:30

[GoogleCodeExporter]

Original comment by supp.san...@gmail.com on 13 Apr 2011 at 12:30

• Changed state: New

[GoogleCodeExporter]

This is a great idea ;)

Original comment by robert.d...@gmail.com on 14 Apr 2011 at 6:07

[GoogleCodeExporter]

Great!
Just two more and I'm on it. ;)

Original comment by supp.san...@gmail.com on 14 Apr 2011 at 5:03

[GoogleCodeExporter]

I had assumed the certificate was imported the first time it was successfully 
used, especially given the instructions on the project home page that state the 
cert file should be deleted from the SD card. In all likelihood, a user isn't 
going to visit a client cert protected site only once and never again; they're 
going to visit it regularly, and they're not going to want to be prompted 
multiple times on which cert to use. As you've stated, storing the cert on the 
SD card in a semi-permanent fashion is insecure as every process (with 
permission) can read any file there. However, an app's own database and file 
sandbox is restricted just to that app and is readable only by the user ID 
assigned to the app in the Android system. There's nowhere safer on an Android 
device than the app's own internal database.

No offense, but in my opinion this doesn't need a vote; this is a no-brainer. 
To *NOT* store the cert in an internal certificate store is to pose a serious 
risk to the user's security for the site they are authenticating against. 
Adding a database to an Android app is extremely simple and only takes a little 
bit of additional coding. With a bit of extra effort, it would be trivial to 
add in an extra table to remember site URLs and which certs the user has chosen 
to use with them, meaning that (a) the user does not need to be prompted for 
which cert to use for subsequent accesses and (b) the same cert can be used to 
authenticate with multiple sites. (I personally use the same CA and collection 
of client certs to authentication with three different physical servers, so 
each machine only needs one unique client cert.) For extra credit, the 
certificate can be encrypted with a randomly generated key before being stored, 
making it difficult for even users with root access to the device from stealing 
the cert data. Libraries like the Legion of the Bouncy Castle Crypto API make 
this fairly simple.

Original comment by jeff.darlington@gmail.com on 19 Apr 2011 at 1:25

[GoogleCodeExporter]

Original comment by supp.san...@gmail.com on 21 Apr 2011 at 6:43

• Changed state: Started

[GoogleCodeExporter]

I prepare demo version how local storage of certificate will be done.
Fell free to comment and make suggestions. I am still working on it.

http://code.google.com/p/sandrob/downloads/detail?name=sandrob_demo_1_0_0_10.apk

http://code.google.com/p/sandrob/source/browse/misc/KeyStoreUtils/src/org/sandro
b/KeyStoreUtils/ExportImport.java

Original comment by supp.san...@gmail.com on 3 May 2011 at 9:38

[GoogleCodeExporter]

I finished implementation of local store and put new version of application on 
market.

Original comment by supp.san...@gmail.com on 8 May 2011 at 2:27

• Changed state: Fixed