How should I refresh the token in phonegap localstorage?
I am (partly) following a tutorial to develop a cordova app, based on angularJS. The author stores the refresh token in local storage, which was said to be very bad practice in one of the comments on that same tutorial. This is confirmed in another stackexchange question. Best practice is then to store the refresh token in a secure HttpOnly cookie. OWASP also mentions this as a guideline, and again they argue to use cookies, which is not possible in a native app.
Now, I can see why it is bad practice when the app is available through the browser, but if I 'phonegap' the app (so that it becomes a native one) is it then also still bad practice to store the refresh token in local storage?
If so, where should I store the refresh token then, as cookies do not exist in 'native' apps?
Well, according to PhoneGap localstorage security guide it seems that localstorage is not recommended to store sensitive data. So what can you do? Well, here are two options I think you can use.
- 1- Encrypt the refresh token and store it encrypted in the localstorage. You can use CryptoJS (a JS library to encrypt/decrypt the data) to encrypt your token using AES (see this example) and it also has an angularjs module
- 2- You can store your refresh token on the device/phone file system using the Cordova File APIs. For extra levels of security you can encrypt the data and store it on the device file system. Note on android you will be limited to AES 128 bit key size but using some third party plugin you can increase it to 256.