Is FirefoxOS secure enough to store passwords in indexeddb or localstorage?

Question

As far as I'm aware, there is no yet standard way to save credentials in FirefoxOS. There is no such thing as AccountManager like android. So each app has to save credentials on their own. Which means that you have to fallback to things like localstorage or indexeddb.

I'm not sure if there is a better way to handle this problem. I have an application and I'd like to save user/password to make it easier to reauth on a couchdb server.

---

My current solution is to create a PouchDB database that will be used only locally and a PouchDB database that can be synced with the couchdb server. Also, in theory I can bind changes event to the local private database to listen to password change to reauthenticate with different credentials. When cookie expires I can reuse the credentials to log in again and retry the request that failed.

Answer 1

Data in localStorage and IndexedDB is not encrypted, so if the device is stolen and the files analyzed, the credentials can be retrieved.

If you're not worried about the device being stolen and the credentials being retrieved, your plan of storing in a PouchDB sounds fine. Web applications on Firefox OS are sandboxed by design in a way that they cannot access the stored data of other applications.

However, if the credentials are sensitive:

"Secure enough" is relative to the content being stored and the known threat level. For example, if you're storing passwords to highly sensitive data on a device which has a non-zero chance of being stolen for that data, "secure enough" is very different than if you're storing credentials for a web application that the user does not consider sensitive on a device with no threat of being stolen for that data.

If the service is very sensitive and the threat high, I recommend you not store the credentials locally at all, and forgo that user experience feature and also use something like two-factor authentication.

If the data is sensitive and must be stored locally, you could store the service credentials encrypted in the local storage facility with a local unlock code or password. A talk, slides and code sample of how to do this with the WebCrypto API are available at https://timtaubert.de/blog/2014/10/keeping-secrets-with-javascript/.

The WebCrypto API is quite new, so check for the availability of that API on the version of Gecko that is shipped on the Firefox OS devices/versions that you are targeting.