flutter_secure_storage icon indicating copy to clipboard operation
flutter_secure_storage copied to clipboard

Published 20 hours ago verified publisher icon mogol

[Web] Encryption of saved value by app-specific key

Open koji-1009 opened this issue 1 year ago • 0 comments

The current implementation is "secure" in the sense that when a user looks at LocalStorage, they cannot immediately identify the value. (I think that's enough for most cases.)

https://github.com/mogol/flutter_secure_storage/blob/v9.2.2/flutter_secure_storage_web/lib/flutter_secure_storage_web.dart#L104

On the other hand, by reading the code in flutter_secure_storage, we can analyze the stored jwk. (Of course, it is hard work.) To improve this analysis difficulty, I propose to obfuscate the stored jwk using an app-specific key.

https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/wrapKey https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/unwrapKey

How about adding this option to WebOptions?

koji-1009 avatar May 27 '24 12:05 koji-1009