Securing an app with Capacitor Biometrics and Capacitor Secure Preferences #747
-
|
Hi All, I am researching a way to implement an authentication flow using your Biometrics and Secure Preferences plugins (Capacitor 8). Or if possible prove the user a way to create custom pin specifically for the app. What i would like to do is provide the user with a login screen (first time login), that uses oAuth and connects to the server. When the use is logged in. I want to let the user set up a pin login or biometrics login and store the refreshtoken in a secure storage. The next time the user logs in via his pin or biometrics I retrieve the refreshtoken from the secure storage and get an access token with it. I looked into the tutorial "Securing an app with Capacitor Biometrics and Capacitor Secure Preferences," (https://capawesome.io/blog/how-to-securely-store-credentials-with-capacitor/) but I have a specific security concern regarding rooted or jailbroken devices. In the tutorial example, the flow is: Hypothetically on a rooted device, can a attacker use a tool like Frida, "hook" the app and skip the authenticate() call to execute the get() call directly? And thus retrieve the token without authenticating? Does the Secure Preferences plugin provide a way to protect this stored refreshToken? (Hardware-Enforced Authentication)? Thank you in advance, |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
That's an interesting question. We have never tested that. Many of our enterprise customers use the Device Security Detect plugin to prevent usage on jailbroken devices. We already have an internal ticket for "Hardware-Enforced Authentication" since this was also requested by another customer a few weeks ago. We will definitely provide a solution for this within the year but we don't have an exact release date yet. My recommendation is to start with the Device Security Detect plugin and switch to our improved implementation as soon as it's published. |
Beta Was this translation helpful? Give feedback.
-
|
Hi Robin, |
Beta Was this translation helpful? Give feedback.
That's an interesting question. We have never tested that. Many of our enterprise customers use the Device Security Detect plugin to prevent usage on jailbroken devices. We already have an internal ticket for "Hardware-Enforced Authentication" since this was also requested by another customer a few weeks ago. We will definitely provide a solution for this within the year but we don't have an exact release date yet. My recommendation is to start with the Device Security Detect plugin and switch to our improved implementation as soon as it's published.