Are there any packages, frameworks, or services to do client-side encryption of user data in Flutter, using firebase as a server?
I hope to build an app that handles some of a user's personal financial information and so I want no one else, including me, to be able to access it. Firebase allows a Dev to see the unencrypted database so I need to do the encryption on the client-side.
I think this will probably have to involve a client-side symmetric key used for encrypting and decrypting the user data.
My worry is how to store this key.
(1) Randomly generated key stored locally - doesn't allow the user to switch between devices and is lost if the device is lost
(2) Store it in a Google Drive - requires the user to have a Google account. (Advocated by this article from HackerMoon
(3) Generate it deterministically from a salted hash of the user's password (stored locally) - lost if the user forgets or changes their password.
(4) Allow the user to choose between a subset of the above
My question is similar to this one How to encrypt user data in Firebase but it covers situations were data is transferred between users and hence uses public key cryptography.
Questions:
What is the best way to encrypt user-data for a firebase db?
And if it is to use a symmetric key, what is the best way to generate and store this key so the user doesn't risk losing access to their data?
This one appeared to be the best solution for my case: flutter_secure_storage. It stores the data in an app specific container within the official key stores of iOS and Android
Related
I develop REST API for some application and use token-auth. However I came up to one problem about storing tokens in database:
Store them using some safe hash function like bcrypt or sha3 and display them to user only once after generation - therefore those tokens would not be backwards readable and could not be displayed to the user in the future - impact on quality for the customers
Store them in plain-text - if database got compromited all tokens has to be regenerated - that's impact on quality for the customers as well
Encrypt them using user's password - impossible due to database may contain multiple users which have access to tokens.
I saw that a lot of services like Google, Github and Facebook that are able to display tokens on-demand without any special procedure needed. Do they store them in plain-text or ?
I am developing an app which uses Facebook login, and which contains a messaging platform. Messages are stored in a Firebase database, and I would like to have some sort of encryption such that the database stores the encrypted messages, and only the sender and receiver can decrypt them.
I know the sender/receiver need some unique key to encrypt/decrypt the messages, but I am unsure as to how I should generate this key, and as to where it should be stored? Basically, there are plenty of tutorials on message encrypting, so I am wondering about the general information structure of an app which involves this kind of encryption, rather than about what exact code to implement!
I thought about basing the encryption key on a user's Facebook access token, but these change every 60 days so I assume it wouldn't work?
Thank you for any help or suggestions!
I need to store a sensible info in a database (clients passwords). Is there a common practice? The information should be accessible by various users. Think about service company that should make maintenance of clients systems.
I'm thinking about using AES encryption. All the information is encrypted with the same main key. For every user this main key is encrypted with the user's password used as the key and stored separately. During login and authentication the main key is decrypted and saved in a session. Later the key is used to decrypt clients info. Is it a good practice?
Thanks
P.S.: Yes, I know that it's better not to use passwords, but it's not me to decide the way to access client's servers.
I am developing an app which uses several API services, the API requires that I provide username and password for API transactions, unfortunately no API token :-( in-order to automate I need to store username passwords somewhere, preferably database, I cannot use hashing because I need to send the username/password to authenticate and process API request, hence I am wondering how to go about it.
If I use Zend\Crypt to encrypt and store the password in database and decrypt whenever required, would this be enough for security? is there something else I must consider?
Looking for pointers.
PS: I am using ZendFramework2 with Doctrine/MySQL for the app.
Usually you would use a token mechanism (like OAuth). If that's not possible, one would use TLS/SSL client authentication.
However, if you rely on plain passwords (on the application-level, I still guess the username/password tupel is transmitted over a secure connection!) and you want to store them encrypted, you have to think of a meaningful mechanism to get an encryption key for your scenario. Just generating an encryption key and storing it on the same machine in plain does not provide more security.
Without more information on your scenario it is hard to make a suitable suggestion.
I am planning to store a password in my Native app (Android and iPhone). Should I store them after encrypting it ? or can I store it without any encryption? Are they really secure?
Any jailbroken iPhone will give any user access to the application's Documents folder. So, yes, it's insecure.
Additionally, if you put the password inside the code, you're still weak, as someone can decompile the program and find the key. What I'd recommend is a proxy.
For example, we have an application that connects to Facebook's API on the phone. However, we don't want to store our Facebook API private key on the phone, because then any user who reverse engineers our code could hack our Facebook application!
So, instead, we store the Facebook private key on a (secure) proxy server. When the device needs to interact with Facebook, it contacts the proxy, asks the proxy to log-in, and then the proxy gives a session key to the device to use directly with Facebook.
Certainly, it's still hackable - but you won't lose your private key in the process, and instead, the only thing your user could do is do the same things you do in your proxy server API.
Could you give us a little more information about what you're trying to do?
I would store it encrypted.
If someone would read your password he/she could simply use it. If it is stored encrypted, that person would need to decrypt it before usage.
Stored passwords are not safe at all. Determined user can root it's device and access any database and preferences. If you encypt password, your application can be decompiled to get decode function or step-executed until decrypted password is stored somewhere in process memory.
It doesn't mean you shouldn't encrypt passwords - use any symmetric encryption and initialise key in some non-trivial way (i.e. arythmetic expression). This will prevent script-kiddies and casual programmers from reading passwords. Just remember if some really want them, he will get them anyway.