I’m building a Sencha Touch 2 application that retrieves data from a webservice. It’s been decided that it’d be a good idea to use an optional PIN setting on the app for extra security when you launch the app from idle. I’m not really sure what the best way to manage this is.
The web service isn’t capable of storing the PIN itself, and the app is also designed to be used offline as well as online, so the number needs to be stored on the device itself in local storage. I’m not convinced this is providing any level of security, and I’m also concerned that on iOS local storage is apparently treated as temporary so setting the number in local storage doesn’t necessarily mean it’s always going to be there.
The webservice already returns an expiring auth token to the device on which is required for all requests to the API. To my mind that’s secure enough, but the idea of the PIN seems to be important to the client.
How would you manage this requirement?
Unlike cookies which passed between server/client (and could be accessed by both of them), sessionStorage / localStorage are 100% stored in the client by a concrete browser, sessionStorage temporarily stores data in one HTTP session, localStorage stores permanent data into client hard disk. The advantage is obvious:
Note: W3C “recommended 5 megabytes localStorage size limitation per domain”, and “welcome feedback”, this is much larger than 4KB limitation in cookie.
So I (personally) would give localStorage a try :). If you want more security you can additionally encrypt your pin before storing it into localStorage e.g. http://point-at-infinity.org/jsaes/