[web]: Use SecureLS for an encrypted storage for web #18
Comments
|
Well, wouldn't a native Dart implementation be more suiting? I would propose to simply use an AES password based encryption of the single items in the local storage. At the point where the IO platforms show the pretty biometric authentication dialogue, the web version could simply display a dialogue asking for the decryption password. |
|
Cool project. Maybe this fits the need... https://github.com/jerson/flutter-rsa
A browser does not have access to the TPP chip in each OS as far as i know. Its funny the powers that be have not allowed it. Might be a chicken and egg problem i suspect. Anyway, this code works on Flutter Web, Mobile and Desktop. All naive code is golang and then cross compiled ( to each OS and WASM for the browser) and wrapped by the flutter FFI / Method channel. TO ease the developers burden of refactoring and boilerplate protocol buffer IDL is used as the master IDL, and then reused for the FFI IO between the Flutter layer and the Naive layer. Its pretty cool code. -- THis married up with key RIng code that accesses the TPM is pretty much covering a decent gamut of the stuff needed to manage passwords. |
|
Maybe i get something wrong aboute the secure-ls library.. but if I understand it correctly.. it generates a secret encryption key.. which is used for storing data into localStorage.. and then goes ahead and stores that encryption secret right next to it.. I don't think there is a large benefit to obfuscating data into localStorage than to just store it in plain text.. it sounds like giving a false sense a security more than it would benefit anyone . If an attacker can compromise the browser to read your localStorage, they can read your secrets no matter if they are plain text or obfuscated. The only real solution would be to ask the user for a password, and encrypt the data with that password.. but that doesn't quite fit well with the API right now. |
|
A pin code used as the key for AES and not store the pin at all seems to be a better solution. If that does not fit the API, I'd say the API needs to change |
feel free to make a suggestion or PR 🤷️ It must not make using it on actually targeted platforms any more complicated though. Android/iOS/windows/linux/mac wouldn't need to provide a PIN code/password and shouldn't have to worry about it. |
|
The PIN code seems a good idea at the first sight but there is a major drawback: it can be easily brute forced (unlike a alphanumeric password). |
|
the pin code does not have to be 4 digits. It could be a password. |
I totally agree and would close my issue for now because Secure-Ls is totally the wrong solution here. It should be a dart-only solution to fit into the existing api |
Here: https://www.npmjs.com/package/secure-ls
I already integrated that in the very first stage of Flutter web and you just have to import the module in your index.html.
The text was updated successfully, but these errors were encountered: