VietMX Staff asked 3 years ago
It’s easy to forget, but an Ionic application and any other Cordova application is a website. It includes an index.html file that includes HTML, CSS, and JavaScript code. In security terms, there isn’t much difference between a normal website running on the web, and a Cordova application running on a device.
There are a few key things that I feel are important to know and understand when building applications with potential security concerns: 1. Treat the codebase like a public website – don’t hardcode secret API keys or passwords 2. Move sensitive operations to a server – outsource any sensitive operations to the server (where people, as long as your server is secure, can’t see what you’re doing). Your application can then make an HTTPS request to your server via some API to retrieve the result of that operation. 3. Communicate over HTTPS – Traffic that is sent over HTTP can be intercepted, read, and altered by attackers. Traffic that is sent over HTTPS can not be read (they will only be able to see encrypted data) or altered by attackers. 4. Don’t store sensitive data in local storage – gaining access to values in local storage would first require the attacker to have physical access to the device, or to exploit some other vulnerability (e.g. through XSS), so it is not as if local storage values are publicly available for everybody to snoop around, but there are some concerns here if the security of the data stored is important. 5. Never store a user’s password in your application – Instead, you can use some kind of token like a JWT that you can store in local storage to authorise the user. A JWT does not contain any sensitive information, it just identifies the user, but a JWT can not be tampered with (if it has been, the server will reject it) so if a user has a JWT that identifies them as a particular user, we can automatically log them in. 6. Consider using an authentication service – There are many options out there that can handle authentication for you like the various social providers like Facebook, GitHub, or Google. 7. Use content security policy
