flutter_secure_storage icon indicating copy to clipboard operation
flutter_secure_storage copied to clipboard
verified publisher icon mogol

[Question] For web, how is the unique encryption key generated and securely reused?

Open timmolter opened this issue 2 years ago • 3 comments

Looking at this file: https://github.com/mogol/flutter_secure_storage/blob/develop/flutter_secure_storage_web/lib/flutter_secure_storage_web.dart#L93,

it looks like a random key is generated and stored, but how is that raw key protected?

timmolter avatar Jun 21 '23 13:06 timmolter

For example what would prevent a hacker or virus software from reading the browser's localStorage file/database? AFAIK localStorage is not encrypted itself by the operating system or otherwise.

Here: https://github.com/mogol/flutter_secure_storage/blob/bdd191faa0ac5e53470e0dd0409849d9ff310a95/flutter_secure_storage_web/lib/flutter_secure_storage_web.dart#L115C29-L115C29

, we see that the encryption key is stored right next to the data stored in localStorage.

tim-eucalyptus avatar Jun 23 '23 16:06 tim-eucalyptus

Is it really the case? Then what's the point of encrypting data if the encryption key is stored in the same location?

janosgy avatar Dec 04 '23 16:12 janosgy

Keen to hear what can be done here as @janosgy has stated above.

polanfong avatar Feb 07 '24 09:02 polanfong

I am closing all older issues. If this issue still exists in the latest version, please let me know.

juliansteenbakker avatar Aug 13 '24 20:08 juliansteenbakker