Storing the LoginToken on the local Device

Hi,

we are developing an App which runs on Windows and Android. The App uses a cloud connection and the user must enter a username and a password to login. After a successfulllogin, we store a login token in a local file on the disk of the device. This login token is just plain text and does not contain password information. However, you have to send the logintoken, with the username and a unique device ID to login again.

The questions is now: How are you doing this on windows? We think it can be a security issue when just storing the login token in a file on a Windows Computer for example.

Do you crypt you login tokens somehow, or do you have some other ideas?

Thank you
André

 

Just curious, but why would you save the logintoken to the device? Windows or android, if it's a plain text file, you can access it. If it's a important piece of information, I wouldn't be saving it to the device, certainly not as plain text.

 

It usually only is an issue if the token allows reconstruction of user and device. I'm guessing your server is issuing the token based on some hash, secret and server salt, so the resulting token can be plain text, just like it is when you are transmitting tokens via http. The question is: what can the token be used for if accessed by a third party - can it be used to log in on the same machine? If so, the token strategy needs to be hardened, crypting it will not increase security. Always assume that the token is intercepted in transit, so dsign your token strategy that it can only be used by the intended recipient.

 

Yes, it is like this. However, how are others doing a `Remember-Me` function in theire App. They need to store such a token somehow, e.g. somewhere..?

 

Yes. The entire remember me functionality is ultimately unsafe. For high-risk operations (e.g. payments) a separate authentication would be mandatory. You can gain some additional security if the app the user was using was issued a second token, and only both tokens in conjunction (usually though a hash) will unlock the session. But that again needs to be stored somewhere, which is inherently unsafe - until you realize that the entire remember me function unsafe. The attacker who gains access to the machine that keeps a session open though remember me also has access to the data. "Remember me" is unsafe and only a convenience. Do not allow a "remembered" user execute private functions without a separate authorization. If you do that, you can keep the token somewhere unobtrusive, like any 'favorite' link.But it will never be secure.

 

Ah, okay, so we are still right. We will add a `Remember-Me` Checkbox to the login screen, maybe with a short warning message. For Critical Operations we will always request Username and Password. The logintoken itself will also not work, we will use some other data, too, so just copy and paste of the login token to another device will not work.

However: Do you know, if all other develops will just store the login token somehwere as text like in a text file, or in registry or whatever... I cannot think of another solution which will work without any hassle?

 

We use whatever is most convenient, usually some form of JSON (i.e. text) that is put into the OS-provided Default data diretory for the application (this works well for all OSX and iOS apps, well for most Linux, and mostly well with Windows). We use a separate file that also contains other user settings (I think we called it "user.settings") like preferred UI Colors and other user-specific, non-private data. The session key (as we call it) is a plain text string, almost 1000 characters Long.

 

@csofranz
Thank you, same here.