[Web] Encryption of saved value by app-specific key

Question

[Web] Encryption of saved value by app-specific key

Closed this issue 3 months ago · 1 comments

The current implementation is "secure" in the sense that when a user looks at LocalStorage, they cannot immediately identify the value. (I think that's enough for most cases.)

https://github.com/mogol/flutter_secure_storage/blob/v9.2.2/flutter_secure_storage_web/lib/flutter_secure_storage_web.dart#L104

On the other hand, by reading the code in flutter_secure_storage, we can analyze the stored jwk. (Of course, it is hard work.)
To improve this analysis difficulty, I propose to obfuscate the stored jwk using an app-specific key.

https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/wrapKey
https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/unwrapKey

How about adding this option to WebOptions?

Answer 1 · 2024-08-13T13:47:38.000Z

The wrapping key can be generated by the following snippet.

async function main() {
  const iv = new Uint8Array(12);
  window.crypto.getRandomValues(iv);

  const key = await window.crypto.subtle.generateKey(
    {
      name: "AES-GCM",
      length: 256,
      iv: iv,
    },
    true,
    ["wrapKey", "unwrapKey"]
  );

  const jsonWebKeyBuffer = await window.crypto.subtle.exportKey("raw", key);
  const jsonWebKey = new Uint8Array(jsonWebKeyBuffer);

  console.log("---iv---");
  const base64Iv = btoa(String.fromCharCode.apply(null, iv));
  console.log(base64Iv);

  console.log("---wrapping key---");
  const wrappingKey = btoa(String.fromCharCode.apply(null, jsonWebKey));
  console.log(wrappingKey);
}

main();