Reputation: 16856
Chrome App: Handle Sensitive data
I want to write a Chrome app that uses the GitLab API (https://github.com/gitlabhq/gitlabhq/tree/master/doc/api). In order to use the API a user needs her/his private token. The token is returned after a successful login via API '/session'.
Is there a secure way for Chrome Apps to store sensitive data like the private token from GitLab? Can I use the chrome.storage for this or will the token be stored in clear text to the users computer?
Upvotes: 0
Views: 414
Answers (1)
Reputation: 4672
Consider using the WebCrypto API to implement encryption of the token, then store the ciphertext in chrome.storage. You'll ask the user to supply a master password to encrypt and decrypt tokens. On each launch of the app you'll prompt the user for the master password, to avoid the need to store it anywhere.
In all likelihood, you'll grow tired of entering the master password each time and will implement an option to store the password right next to the stuff it unlocks in chrome.storage, or you'll pick a password that's short and easy to type. In either case, the usability of the system will ensure that the password serves effectively no purpose, other than security theater.
Upvotes: 2
Related Questions
- Storing passwords in HTML5 LocalStorage
- Reliable persistent local storage for a Chrome web application on Android
- Securely store token/password in Chrome extension
- Security concerns for using localStorage or chrome.storage inside Chrome Extensions
- How secure is data stored using chrome.storage.local.set
- How can I structure my app to use localStorage when running on a website, and chrome.storage when running as a Chrome App?
- Is it safe saving a fileSystem entry in chrome.local.storage?
- Chrome local storage and security
- Google Chrome Apps: chrome.storage.local
- Secure Storage on a Google Chrome Extension