Securing Client-Side Data

Andrew Duncan, Co-Founder, SwarmOnline

@andrewmduncanandrew@swarmonline.com

Monday, 23 September 13

Monday, 23 September 13

Why store client-side?

Monday, 23 September 13

Improve performance

Monday, 23 September 13

Make the app work o!ine

Monday, 23 September 13

Where can we store our Data?

Monday, 23 September 13

LocalStorage

Cookies WebSQL

IndexedDB

SessionStorage

Monday, 23 September 13

HTML5 Storage is not secure

Can we do something about that?

Monday, 23 September 13

HTML5 Storage and Security

- Not Encrypted

- It can’t be trusted

- Don’t store session identifiers

- Only cookies can use the httpOnly flag

- SessionStorage probably our best option

Monday, 23 September 13

JavaScript can help us... maybe

Monday, 23 September 13

Watch out for libraries not maintained by Cryptographers

Monday, 23 September 13

Crypto-JS

- Collection of Security Algorithms

- MD5, PBKDF2, AES etc...

- Easy to use

- https://code.google.com/p/crypto-js/

Monday, 23 September 13

Stanford JavaScript Crypto Library

- Stanford Javascript Crypto Library

- AES

- http://crypto.stanford.edu/sjcl/

Monday, 23 September 13

https://github.com/bitwiseshiftleft/sjcl/contributors

Still Maintained

Monday, 23 September 13

var encryptedData = sjcl.encrypt('Amsterdam', 'ModUXCon');

//"{// "iv": "/mx7CEihT3d7SOwwE7xrWA",// "v": 1,// "iter": 1000,// "ks": 128,// "ts": 64,// "mode": "ccm",// "adata": "",// "cipher": "aes",// "salt": "zWAyQczJww4",// "ct": "nyBREOy9jjrMbQARklcvJg"//}"

var data = sjcl.decrypt('Amsterdam', encryptedData);

//data = "ModUXCon"

Monday, 23 September 13

The users password is a good key, particularly when used with a key derivation

function.

Monday, 23 September 13

Override Ext.encode & Ext.decode

- Straightforward approach

- Useful if ALL JSON is encrypted

- Could also write your own extended functions

-Ext.JSON.encodeEncrypted()-Ext.JSON.decodeEncrypted()

Monday, 23 September 13

this.encode = function() { var ec; return function(o) { if (!ec) { // setup encoding function on first access ec = isNative() ? JSON.stringify : doEncode; } return ec(o); };}();

Monday, 23 September 13

this.encode = function() { var ec; return function(o) { if (!ec) { // setup encoding function on first access ec = isNative() ? JSON.stringify : doEncode; } return sjcl.encrypt('KEY', ec(o)); };}();

Monday, 23 September 13

this.decode = function() { var dc; return function(json, safe) { if (!dc) { // setup decoding function on first access dc = isNative() ? JSON.parse : doDecode; } try { return dc(json); } catch (e) { if (safe === true) { return null; } Ext.Error.raise({ sourceClass: "Ext.JSON", sourceMethod: "decode", msg: "You're trying to decode an invalid JSON String: " + json }); } };}();

Monday, 23 September 13

this.decode = function() { var dc; return function(json, safe) { if (!dc) { // setup decoding function on first access dc = isNative() ? JSON.parse : doDecode; } try { return sjcl.decrypt('KEY', dc(json)); } catch (e) { if (safe === true) { return null; } Ext.Error.raise({ sourceClass: "Ext.JSON", sourceMethod: "decode", msg: "You're trying to decode an invalid JSON String: " + json }); } };}();

Monday, 23 September 13

Overriding The Proxy

- Provides more flexibility

- Doesn’t have a knock-on effect across the rest of your app

- Not all Proxies use JSON (e.g. SQL)

Monday, 23 September 13

getRecord: function(id) { if (this.cache[id] === undefined) { var recordKey = this.getRecordKey(id), item = this.getStorageObject().getItem(recordKey), data = {}, Model = this.getModel(), fields = Model.getFields().items, length = fields.length, i, field, name, record, rawData, rawValue;

if (!item) { return undefined; }

rawData = Ext.decode(item);

... }

return this.cache[id];}

Monday, 23 September 13

getRecord: function(id) { if (this.cache[id] === undefined) { var recordKey = this.getRecordKey(id), item = this.getStorageObject().getItem(recordKey), data = {}, Model = this.getModel(), fields = Model.getFields().items, length = fields.length, i, field, name, record, rawData, rawValue;

if (!item) { return undefined; }

rawData = sjcl.decrypt('KEY', Ext.decode(item));

... }

return this.cache[id];}

Monday, 23 September 13

setRecord: function(record, id) { ...

try { obj.setItem(key, Ext.encode(data)); } catch(e){ this.fireEvent('exception', this, e); }

record.commit(); }

Monday, 23 September 13

setRecord: function(record, id) { ...

try { obj.setItem(key, sjcl.encrypt('KEY', Ext.encode(data))); } catch(e){ this.fireEvent('exception', this, e); }

record.commit(); }

Monday, 23 September 13

W3C Web Cryptography Working Group

Monday, 23 September 13

Hybrid App Containers

- Filesystem storage

- Data Storage Options

Monday, 23 September 13

PhoneGap- Hardware Encryption

- limited by platform

- Use SQLLite Plugin

- SQLCipher

- Open Source

- 256-bit encryption

- http://brodyspark.blogspot.co.uk/

- Don’t store the key - derive from users password

Monday, 23 September 13

RhoMobile

- Similar to PhoneGap

- Rhom Local Database

- SQLite Database

- SQLite Encryption Extension (SEE)

- All or nothing switch

Monday, 23 September 13

Sencha Space

- Secure data stores

- Secured LocalStorage

- Secure Files API

- Remove app access to make the data inaccessible

Monday, 23 September 13

Remote Wiping Data

- Use a mobile device management (MDM) suite

- AirWatch

- Soti MobiControl

- Sencha Space

Monday, 23 September 13

Questions?

Monday, 23 September 13