react-native-background-geolocation icon indicating copy to clipboard operation
react-native-background-geolocation copied to clipboard

Published 20 hours ago verified publisher icon transistorsoft

Bring back Encryption

Open throwaway34241 opened this issue 1 year ago • 10 comments

Your Environment

  • Plugin version: 4.10.1
  • Platform: both
  • OS version: n/a
  • Device manufacturer / model: n/a
  • React Native version (react-native -v): n/a
  • Plugin config
BackgroundGeolocation.ready({
+  encrypt: true
});

Expected Behavior

I propose to bring back the encryption feature, removed in #1246. As far as I understand, it was removed because the RNCryptor package was flagged as a virus. Maybe we can use another library, e.g. a pure JS one?

AFAIU, the previous implementation encrypted the data before it entered the local on-device SQLite database. I personally think this is overkill, I think it solves a threat model that's limited to maybe people whose personal locations are really sensitive data with risk of the device being accessed. But for the huge majority of use cases, I believe encryption before sending to the HTTP server is enough, so that the location data is stored encrypted on the server.

Actual Behavior

No encryption.

Steps to Reproduce

n/a

Context

Since precise location data (as provided by this library) is considered personally identifiable information, I think adding encryption is going in the right direction.

Debug logs

n/a

throwaway34241 avatar Mar 20 '23 09:03 throwaway34241

If you simply use https endpoint, your data is encrypted in transit.

christocracy avatar Mar 20 '23 11:03 christocracy

Right. I edited my OP to clarify that I meant that the server's DB only stores encrypted data. The server's admin can never access the user's encrypted location data. Decryption happens client-side (mobile or web). A similar model may be how ProtonMail stores emails encrypted.

throwaway34241 avatar Mar 20 '23 11:03 throwaway34241

For VAPT certification we have to encrypt sensitive data saved in local db. If you can bring back the encrypt feature, that will be useful for many

libinsatheesan avatar Mar 29 '23 05:03 libinsatheesan

is there any way to encrypt the local database at all with this package @christocracy ?

trne avatar Jun 12 '23 12:06 trne

No.

christocracy avatar Jun 12 '23 12:06 christocracy

would it be possible to bring that back in then @christocracy ? as part of the requirements on the app that we are working on, all data stored locally on the phone needs to be encrypted. so I'd either need to be able to encrypt the sqlite data set or be able to flush it as soon as the data is sent to our backend service.

trne avatar Jun 12 '23 12:06 trne

would it be possible to bring that back in then

No

or be able to flush it as soon as the data is sent to our backend service.

that’s exactly what the plug-in does. The plug-in strongly desires an empty database. As soon as your server responds with 200, the plug-in deletes its copy of that record.

the plug-in’s SQLite database is nothing more than a temporary queue for its http service.

christocracy avatar Jun 12 '23 12:06 christocracy

brilliant!! then that's as strong as it can get. all what we need really. thanks so much and keep up the good work. this plugin is just outstanding and your level of response as well @christocracy

trne avatar Jun 12 '23 12:06 trne

Read the api docs “HTTP Guide” for more information.

christocracy avatar Jun 12 '23 12:06 christocracy

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] avatar May 23 '24 01:05 github-actions[bot]

This issue was closed because it has been inactive for 14 days since being marked as stale.

github-actions[bot] avatar Jun 06 '24 01:06 github-actions[bot]