The current implementation is "secure" in the sense that when a user looks at LocalStorage, they cannot immediately identify the value. (I think that's enough for most cases.)
On the other hand, by reading the code in flutter_secure_storage, we can analyze the stored jwk. (Of course, it is hard work.)
To improve this analysis difficulty, I propose to obfuscate the stored jwk using an app-specific key.
The current implementation is "secure" in the sense that when a user looks at LocalStorage, they cannot immediately identify the value. (I think that's enough for most cases.)
https://github.com/mogol/flutter_secure_storage/blob/v9.2.2/flutter_secure_storage_web/lib/flutter_secure_storage_web.dart#L104
On the other hand, by reading the code in flutter_secure_storage, we can analyze the stored jwk. (Of course, it is hard work.) To improve this analysis difficulty, I propose to obfuscate the stored jwk using an app-specific key.
https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/wrapKey https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/unwrapKey
How about adding this option to
WebOptions
?