I want to secure the JWT token.I already went through the solution.
- 1st I cant use SharedPreference because its not secure for sensitive information.
- 2nd I used SecureStorage package, but when i saved my token in
this SecureStorage, How i am gonna pass this token in further API
calls which requires Token for Authorization. Because
SecureStorage encrypt the token. whenever i try to read the token its just give me key of that token not actual value
Is there any other way to encrypt and decrypt the JWT Token ???
CodePudding user response:
There are a few issues here. One is the assumption that you cannot save the secret in SharedPreferences. This may be true, but really depends on the context of the application.
If you are requesting a short-lived JWT which can be used for time period before needing to be refreshed and the server you are communicating with has proper attestation, then the SharedPreferences is probably safe enough - other apps do not have access and the OS theoretically keeps it secure, which puts it at about the same level as a Cookie/LocalStorage/SessionStorage in a browser, which is currently used to secure most web-based accounts.
Now if you are doing something truly security-oriented (i.e. financial, authentication, etc) or the token is a non-expiring refresh token (or similar), it might be worth securing that token more, as you have asked for help with. In that case, there are a bunch of plugins which could be used. FlutterSecureStorage is probably the most used of those, which can be used from your app to secure data with the keychain on iOS and keystore on android. Before you use it though, you should have read and understood every line of code in the plugin - as otherwise you're just blindly trusting the security of your app to a stranger on the internet.
That being said, using it should look something like this:
// probably want to do this in your class
final _storage = FlutterSecureStorage();
final myJwt = "1b234.232ade.1234f";
// To save the value, use this:
await storage.write(key: "my-secure-jwt", value: myJwt);
...
// And later on if you need to retrieve, use this:
final myJwt = await storage.read(key: "my-secure-jwt");
Note that you'll have to convert the JWT to a format that FlutterSecureStorage understands - most likely a string as JWTs have a simple string-encoded format - and then decode it after you've read it from storage. You'll have to follow any caveats that Keychain and Keystore have - i.e. the device must be unlocked, your app may need to be open, and it's not available on super old versions of android. I don't believe the plugin goes into great detail on this, so you're best off reading the documentation for keychain and keystore directly.
Now, if your app is very heavily security focused, even the above might not be enough for you - after all, the user may have an insecure system password or pin rather than using biometrics to log in. In this case, you can actually take this one step further and require them to enter either a new pin/pattern or a biometric into your app when it is opened. Many banking/stock/etc apps I've seen do this. I'll ignore the pin/pattern stuff as that's beyond the scope of this discussion as it involves a lot of particulars which are easy to screw up.
There is a plugin for biometrics however, which you can use - but honestly if your app needs to be this secure, I'd actually advise you to write the native code yourself, or at the very least read through every single line of the plugin very carefully before using it - after all, once again, by using it you'd be entrusting the security of your app and users to a stranger from the internet. The best resources for implementing and understanding this are the android and ios documentation - it is not super easy but not that complicated either, and will give you a much better idea of the actual security of the system you are implementing your app into.
CodePudding user response:
Review this library to save data Hive This library is easy to use and practical Write and read example