How secure is the Worklight JSONStore?
JonMarshall 1000009QM4 Visits (6701)
The feature of interest here though is that the data in the JSONStore can be encrypted meaning that sensitive data can be protected regardless of whether the device gets stolen or hacked. The details of this encryption can be found in the Knowledge Center, but I wanted to summarise how Worklight does this here.
When you create the JSONStore (init method call), 2 keys are generated:
At a high level the algorithm for generating these looks like this:
Simplistically, PBKDF2 will turn a weak key (e.g. 'hello123') into a 256bit key that's hard to decrypt using brute force, because to generate it it goes over 10k loop iterations which is expensive on modern hardware. The salt is an extra random value that's part of the PBKDF2 algorithm.
The DPK is passed to the SQLCipher to encrypt and decrypt data on the database file that holds the collections.
Worklight needs to store the DPK for each time the app needs to access the data. This key isn't stored in plain text. It too is encrypted using the CBK as the encr
Importantly, the only way to get the DPK back is to have access to the portion of the keychain that holds the encrypted DPK and correctly re-generate the CBK to decrypt it. The latter can only be done with the user password. In summary, Worklight does NOT store the CBK but it is this that is required to do anything with the data of the JSONStore.