You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The CapacitorCookies plugin (CapacitorCookieManager) on Android stores the cookies in an sqlite database in the app's data folder: /data/data/[bundle-identifier]/app_webview/Default/Cookies.
While this approach protects the cookies against most apps, it is vulnerable in the context of a rooted device. With root present, a malicious app could easily read these cookies which may e.g. contain the session-cookie. Thereby an authenticated session could be stolen.
It would therefore be great to have the option to configure the plugin to encrypt the cookies before storing them in this sqlite database. The symmetric-key used for encryption and decryption could itself be stored in the Android Keystore.
Alternatives
If it were possible to specifically override the default-implementation of the CapacitorCookieManager (without forking the project), this would give developers the flexibility required to implement such encryption logic themselves.
Additional Information
This feature request is based on a penetration-testing report which only indicated the vulnerability for Android. I am not familiar with the iOS implementation.
The text was updated successfully, but these errors were encountered:
Description
Storing cookies in encrypted format
Platforms
Request or proposed solution
The CapacitorCookies plugin (CapacitorCookieManager) on Android stores the cookies in an sqlite database in the app's data folder:
/data/data/[bundle-identifier]/app_webview/Default/Cookies
.While this approach protects the cookies against most apps, it is vulnerable in the context of a rooted device. With root present, a malicious app could easily read these cookies which may e.g. contain the session-cookie. Thereby an authenticated session could be stolen.
It would therefore be great to have the option to configure the plugin to encrypt the cookies before storing them in this sqlite database. The symmetric-key used for encryption and decryption could itself be stored in the Android Keystore.
Alternatives
If it were possible to specifically override the default-implementation of the CapacitorCookieManager (without forking the project), this would give developers the flexibility required to implement such encryption logic themselves.
Additional Information
This feature request is based on a penetration-testing report which only indicated the vulnerability for Android. I am not familiar with the iOS implementation.
The text was updated successfully, but these errors were encountered: