EncryptedStorage
The EncryptedStorage plugin provides an asynchronous API to store key value pairs securely. The API is based on the the web storage interface but is asynchronous in nature.
For additional details see the JavaScript file in a project that includes this plugin at
project_name\www\plugins\com.sap.mp.cordova.plugins.encryptedstorage\www\encryptedstorage.js
or the JS Documentation at Kapsel EncryptedStorage API Reference
The following steps will demonstrate this plugin.
- Create the project.
cordova -d create C:\Kapsel_Projects\StorageDemo com.mycompany.storage StorageDemo cd StorageDemo cordova -d platform add android cordova -d create ~/Documents/Kapsel_Projects/StorageDemo com.mycompany.storage StorageDemo cd ~/Documents/Kapsel_Projects/StorageDemo cordova -d platform add ios
- Add the Cordova console plugin and the enycryptedstorage plugin.
cordova plugin add https://git-wip-us.apache.org/repos/asf/cordova-plugin-console.git cordova -d plugin add C:\SAP\MobileSDK3\KapselSDK\plugins\encryptedstorage cordova -d plugin add ~/SAP/MobileSDK3/KapselSDK/plugins/encryptedstorage
- Replace www\index.html with index.html and run
cordova -d prepare
Notice that the API is asynchronous. This can make it a bit more challenging to work with. The following link provides some suggestions on how to work with asynchronous methods. Asynchronous JS: Callbacks, Listeners, Control Flow Libs and Promise - Use the Android IDE or Xcode to deploy and run the project.
![image1.PNG]()
- Note, on Android, not more than 1 MB can be stored for a single key/value pair. The strings are encoded in UTF-8 on Android, so this means the maximum length of a complex string that can be successfully stored is less than the maximum length of a string with only simple characters (since simple characters are encoded with a single byte, and complex characters are encoded with up to 4 bytes).
Note that as of SMP 3.0 SP02, if the Logon plugin's data vault is deleted the EncyptedStorage plugin will also delete all storage as well. - If the Logging plugin is added and the log level set to debug, the messages logged by the EncryptedStorage plugin can be viewed. The log tag it uses is SMP_ENCRYPTED_STORAGE.
- The following are some technical details of where the data is stored and how it is secured on Android.
Key value pairs are stored in a SQLLite Database.
The database is created using local storage which can only be accessed by the application that created it. The file is stored under /data/data/packageName and can be seen and accessed when using an emulator but not a device.![image2.PNG]()
The values but not the keys stored in this SQLLite database are encrypted using javax.crypto.Cipher and a transformation of AES/CFB/NoPadding in SP01 and AES/CBC/PKCS5Padding in SP02. In SP03 both the values and the keys will be encrypted.
The encryption process may cause values to be up to 32 bytes larger than the unencrypted values.
When a new store is created via new sap.EncryptedStorage("testStore", "securePassword123"), a random string is generated using SecureRandom. This random string is used as the encryption key to encrypt the values added to the SQLLite database.
This encryption key is persisted for future use in the SQLLite database but is first encrypted with a combination of a salt (another random string created using UUID.randomUUID().toString(), used to prevent dictionary attacks) and the password provided (securePassword123 shown above).
The user provided password is not stored. The salt is stored on the internal storage and can only be accessed by the EncryptedStorage plugin which created it.
In SMP 3.0 SP03 this process changes.
The encryption key is generated using a random salt and the provided password.
The encryption key is saved into the Logon plugin's data vault.
If the Logon plugin is not present the Encrypted Storage plugin will create its own instance of the Logon plugin's data vault. The data vault is opened and closed after each request to store or retrieve data from the SQLLite database.
Back to Getting Started With Kapsel