Is FirefoxOS secure enough to store passwords in indexeddb or localstorage?
As far as I know, there is no standard way to store credentials in FirefoxOS yet. There is no such thing as an AccountManager like android. Therefore, each application must store the credentials on its own. This means you need to fall back on things like localstorage or indexeddb.
I'm not sure if there is a better way to handle this issue. I have an application and I would like to store the user / password to make it easier to retry on the couchdb server.
My current solution is to create a PouchDB database that will only be used locally and a PouchDB database that can be synchronized with the couchdb server. Also, in theory, I could bind the change event to a local private database to listen for password changes to re-authenticate with different credentials. When the cookie expires, I can reuse the login credentials and retry the request that failed.
source to share
The data in localStorage and IndexedDB is not encrypted, so if the device is stolen and the files are parsed, the credentials can be recovered.
As long as you're not worried about stealing your device and getting your credentials, your PouchDB persistence plan sounds fine. Firefox web applications are isolated from the project in such a way that they cannot access the saved data of other applications.
However, if the credentials are sensitive:
“Safe enough” refers to the content at hand and the known threat level. For example, if you store passwords for highly sensitive data on a device that has a nonzero chance of being stolen for that data, "secure enough" is very different from if you store credentials for a web application, the user does not consider the device as sensitive without threatening it theft for this data.
If the service is very sensitive and the threat is high, I recommend that you do not store credentials locally at all and abandon this user function, and also use something like two-factor authentication.
If the data is sensitive and needs to be stored locally, you can store the service credentials encrypted in local storage with a local code or unlock password. A conversation, slides, and code examples on how to do this using the WebCrypto API can be found at https://timtaubert.de/blog/2014/10/keeping-secrets-with-javascript/ .
The WebCrypto API is brand new, so check for this API in the version of Gecko that ships on the devices / OS versions of Firefox you are targeting.
source to share