How secure is storing data with localStorage?

Question

My app requires login, and I have a Remember username and password ability. The username and password is then stored with

localStorage.setItem('username', username);

How secure is this way of storing the username and password? What I'm worried about, specially on Android, is if other apps have access to the data and can fetch the login info.

The app is for iOs and Android, and I'm using PhoneGap 2.9 .

Answer 1

LocalStorage is under normal circumstances only accessible by your app. It is as secure as the sandbox on the specific platform (iOS, Android) is able to protect your app's data from being read by other apps.

Sometimes that sandbox is not as strong as you might expect, eg in these cases:

• the device is rooted or jailbroken
• the manufacturer failed to provide security updates or the user just didn't update
• the attacker has physical access to the device for example if it is stolen.

If the attacker has access to the cleartext password and username, they could try them also for other accounts (not just your service). So if the user of your app used the same password for multiple services, the attacker could gain access to them as well.

What about storing a password hash?

For server side applications this is a great idea, because they run in a protected environment (datacenters with access control, system engineers taking care of security updates).

A phone, on the other hand, is stolen easily, and users often don't or can't install security updates.

If the hash is not salted it is very easy to get the cleartext password using rainbow tables if you got the hash. If the hash is salted it is very easy to get the cleartext password for simple passwords. Also, it's very easy to generate insecure password hashes.

Solution: store randomly generated access tokens : no matter how simple or complex the password is, it's just impossible to get the clear text password by looking at the token.

TL;DR

If you're using the credentials for authentication against some kind of API service, you should not store the password and username locally, even in a secure store such as the iOS keychain.

What you should do instead is storing only a randomly generated token ( NOT a password hash! ) you get from that API (similar to the concept of storing the Session ID in a cookie rather than the user/pass combination). One possibility would be to use OAuth.

That way you make sure the real credentials can never be leaked, even when the sandbox fails to protect the data or the phone is stolen.

Answer 2

Each application uses it's own webview in PhoneGap, the localStorage will be accessible in that webview only.

EDIT: I would still think about hashing the password.

Answer 3

Saving password inside localStorage is not a secure approach. If you're using PhoneGap, try to save username & password inside iOS Keychain. Have a look at this plugin: https://github.com/shazron/KeychainPlugin

Answer 4

Each different cordova app, is like different web browsers with access to only the data or localStorage data that they set by themselves, so there is no way a different app can access the data in your localStorage that is set by your own app. Meanwhile if you want to authenticate users consider using a jwt access token for this instead of storing the actual raw username or password on the device.