Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encryption of User data #18

Open
sakshampruthi opened this issue Jul 18, 2020 · 8 comments
Open

Encryption of User data #18

sakshampruthi opened this issue Jul 18, 2020 · 8 comments
Assignees
@TaraStefanyi
Labels
help wanted Extra attention is needed medium up-for-grabs

Comments

@sakshampruthi
Copy link
Member

Encrypt profile details that are uploaded or stored on firebase so that only user can access these details
@TaraStefanyi
Copy link

Is this issue still unresolved?

@sakshampruthi
Copy link
Member Author

@TaraStefanyi Yes, it is still unresolved. How do you plan to resolve it?

@TaraStefanyi
Copy link

I was thinking about generating and storing a secret key safely on user's device (maybe shared preferences or a single file in app's folder). Then we would use this key to encrypt/decrypt the data.

@sakshampruthi
Copy link
Member Author

@TaraStefanyi Sure, go ahead give it a try and if possible try it in the MVVM branch

@sakshampruthi sakshampruthi added the Hacktoberfest Hacktoberfest participants welcomed label Oct 4, 2020
@TaraStefanyi
Copy link

@sakshampruthi I just wanted to ask what data should be encrypted...

@sjain30
Copy link
Collaborator

sjain30 commented Oct 18, 2020

Hi @TaraStefanyi Sorry for the late reply
For starters, we're planning to encrypt the personal details of the user before uploading to Firebase and decrypt it wherever we're accessing it in the app. The user details are being uploaded in step two of the signup page.

@TaraStefanyi TaraStefanyi mentioned this issue Oct 19, 2020
Open
@sakshampruthi sakshampruthi removed the Hacktoberfest Hacktoberfest participants welcomed label Nov 13, 2020
@zubusoomro
Copy link

I was thinking about generating and storing a secret key safely on user's device (maybe shared preferences or a single file in app's folder). Then we would use this key to encrypt/decrypt the data.

what if user uninstall's the app and install's the app again ? would he be able to retrieve his data again ? i don't think so.

@rzuhovski0
Copy link

Hello, is this issue still open? Instead of using local storage (since the files will be deleted after the app uninstall) I would use Password-Based Key Derivation Function (PBKDF).
1.)On Signup:

  • Generate a salt and use the user’s password to derive an encryption key.
  • Encrypt the personal details using the derived key and upload both the encrypted data and the salt to Firebase.
    2.)On Login:
  • Retrieve the encrypted data and the salt from Firebase.
  • Use the user’s password and the stored salt to derive the encryption key.
  • Decrypt the data using this key.

No key storage on device: The encryption key is derived dynamically from the user's password each time it's needed.
Reusable user input: It leverages the user’s existing password, avoiding the need for extra key management.

If you like this approach, please let me know and assign the issue to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TaraStefanyi TaraStefanyi

Labels
help wanted Extra attention is needed medium up-for-grabs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@TaraStefanyi @sjain30 @sakshampruthi @zubusoomro @rzuhovski0