1. Analysis of data storage
Using cross-platform tools on
mobile devices
Evaluatie van gegevensopslag door gebruik van cross-
platform tools op mobiele toestellen
Gilles Callebaut
KU Leuven, Ghent
21th June 2016

2. • Beginning
• Middle
• End
Table of Contents

3. Beginning
Introduction

4. INTRODUCTION
Motivation
Scope
Relevance
Goal
Approach
4

5. 5
Native Development

6. INTRODUCTION
Motivation
Scope
Relevance
Goal
Approach
Cross Platform Tool
Shared Code Base
6

7. Cross Platform Tool
Shared Code Base
7Smartphone OS Market Share, 2015 Q2 (IDC)
82,8% 13,9% 2,6%
INTRODUCTION
Motivation
Scope
Relevance
Goal
Approach
96,7%

8. 8

9. 9
Device API’s
Native Container
Web Code
Cordova Architecture

10. 10
Device API’s
Native Container
Web Code
Cordova Architecture

11. Cordova Plugin Store
11

12. INTRODUCTION
Motivation
Scope
Relevance
Goal
Approach
12

13. • API Coverage
• Contribution 1: Analysis
• Contribution 2: Native Storage (Plugin 1)
• Performance
• Contribution 3: Analysis
• Security
• Contribution 4: Secure Storage (Plugin 2)
• Contribution 5: File Transfer (Plugin 3)

14. • API Coverage
• Contribution 1: Analyse
• Contribution 2: Native Storage (Plugin 1)
• Performance
• Security

15. Contribution 1:
Coverage Analysis
15
KEY
Contribution2
VALUE
NativeStorage

16. Contribution 1:
Coverage Analysis
16

17. Contribution 2:
Native Storage
17

18. LocalStorage
(HTML feature)
Persistence storage ? NOT guaranteed
Platforms
• Webview
Supported Types
• Strings
Contribution 2:
Native Storage
18

19. LocalStorage
(HTML feature)
NativeStorage
(Plugin)
Persistence storage ? NOT guaranteed GUARANTEED
Platforms
• Webview • Android
• iOS
• Browser
Supported Types
• Strings • Strings
• Booleans
• Numbers
• Objects
Contribution 2:
Native Storage
19
https://www.npmjs.com/package/cordova-plugin-
nativestorage
https://github.com/TheCocoaProject/cordova-
plugin-nativestorage

20. 20

21. 21

22. 22
1200 downloads in
less than a month!

23. 23http://npm-stat.com/charts.html?package=cordova-plugin-nativestorage
Contribution 2:
Native Storage

24. 24http://npm-stat.com/charts.html?package=cordova-plugin-nativestorage
Contribution 2:
Native Storage

25. 25

26. • API Coverage
• Performance
• Contribution 3: Analysis
• Security

27. Contribution 3:
Performance Analysis
27

28. Contribution 3:
Performance Analysis
28

29. Contribution 3:
Performance Analysis
29

30. 30
SQLite
WebSQL
SQLite Plugin
IndexedDB
Duration of
total operation
time
97 1398 1855 2140(ms)
Indexed-based searching SQLite wrapper
Database performance
Contribution 3: Performance Analysis

31. 31
SQLite
WebSQL
SQLite Plugin
IndexedDB
Duration of
total operation
time
97 1398 1855 2140(ms)
Indexed-based searching SQLite wrapper
Database performance
Contribution 3: Performance Analysis

32. Contribution 3:
Performance Analysis
32

33. 0
20
40
60
80
100
120
140
160
180
0 5 10 15 20
Memoryusage(Mb)
File (Mb)
Memory Native Memory Cordova
33
0
500
1000
1500
2000
2500
3000
3500
4000
4500
0 5 10 15 20
Read/Writeduration(ms)
File volume (Mb)
Cordova Write Cordova Read Android Read Android Write
File storage performance
Contribution 3: Performance Analysis
https://github.com/apache/cordova-plugin-file

34. 0
20
40
60
80
100
120
140
160
180
0 5 10 15 20
Memoryusage(Mb)
File (Mb)
Memory Native Memory Cordova
34
0
500
1000
1500
2000
2500
3000
3500
4000
4500
0 5 10 15 20
Read/Writeduration(ms)
File volume (Mb)
Cordova Write Cordova Read Android Read Android Write
File storage performance
Contribution 3: Performance Analysis
https://github.com/apache/cordova-plugin-file

35. • API Coverage
• Performance
• Security
• Contribution 4: Secure Storage (Plugin 2)
• Contribution 5: File Transfer (Plugin 3)

36. 36
CLOUD
back-up
Local Backup

37. 37
CLOUD
back-up

38. 38
CLOUD
back-up
Local Backup

39. 39
‘’The Fappening’’

40. Contribution 4: Secure Storage extension
Security
40
ApplicationApplication
OS
DISK
• NO guaranteed
persistent storage
• NO use of symmetric
keys in recent android
version
• Guaranteed persistent
storage
• Symmetric keys in recent
android version
• 2 times faster!

41. Secure Data-in-transit
41
Data-in-transit

42. Contribution 5: File Transfer extension
Security
42
Self signed certificate

43. Contribution 5: File Transfer extension
Security
43
AllowAllHosts
Self signed certificate

44. Eavesdropping and Altering Data possible (MiTM)
44

45. Contribution 5: File Transfer extension
Security
45
Solution: certificate pinning
,
Allow Self Signed
Certificate/chain
In read-only
directory
check
1
2 3

46. End
Evaluation

47. 47
Quantative Performance
Analysis
API Coverage Evaluation
NativeStorage
1
2
3
4 5

48. Future Work
48
• For me
o Deployment other plugins
o NativeStorage
• Encryption
• WP support
• Future work
o Can files be manipulated faster?
o Are there many apps with weak file-transfer (allowAllHosts)?
o Including WP
o …

49. 49

50. Thank you for your
attention

51. Appendix
Slides which weren't used in the final
version but could provide useful

52. Read (asText)
52
“Foo bar”
“File contents”
{JSON}

53. Read (asText)
53
“Foo bar”
“File contents”
Convert to JSONArray
Native read
Resolve to local URL
{JSON}
Send over bridge

54. Write (binary)
54
01011010101011001011
“Foo bar”
01011010101011001011
Base64.encode

55. Write (binary)
55
01011010101011001011
“Foo bar”
01011010101011001011
Base64.encode
JS Processing command
Blob creation
Native write
Execute call delay

56. 56
SQLite
WebSQL
SQLite Plugin
IndexedDB
Duration of
total operation
time
97 1398 1855 2140(ms)
Database performance
Contribution 3: Performance Analysis

57. 57
SECURITY

58. 58
SECURITY
BACK-UP
https://github.com/apache/cordova-plugin-file-transfer
File Transfer
Data-in-transit

59. SecureStorage
59
Sensitive data
E53456=ol
AES browser generated key (256-bit)
RSA Android KeyStore generated key-pair (2048-bit)

60. SecureStorage
60
Sensitive data
E53456=ol
AES browser generated key (256-bit)
RSA Android KeyStore generated key-pair (2048-bit)

61. SecureStorage
61
Sensitive data
E53456=ol
AES browser generated key (256-bit)
RSA Android KeyStore generated key-pair (2048-bit)

62. Local-
Storage
SecureStorage
62
AES browser generated key (256-bit)
RSA Android KeyStore generated key-pair (2048-bit)
E53456=ol

63. Local-
Storage
SecureStorage
63
AES browser generated key (256-bit)
RSA Android KeyStore generated key-pair (2048-bit)
E53456=ol
No guaranteed
persistent storage

64. Local-
Storage
SecureStorage
64
AES browser generated key (256-bit)
RSA Android KeyStore generated key-pair (2048-bit)
E53456=ol

65. Local-
Storage
SecureStorage
65
AES browser generated key (256-bit)
RSA Android KeyStore generated key-pair (2048-bit)
E53456=ol
No need for RSA (wrapping)
as of Android 6.0

66. SecureStorageM
66
• Extra plugin to take advantage of symmetric keys in Android M (6.0)
• Transparent use of my plugin
o If(Android.version >= 6) use my plugin
• SecureStorage Plugin acts as delegate
o Backward compatible
o What If OS upgrades from < 6.0 to >= 6.0 ?
• First check if requested value is stored by means of the old mechanism
• Otherwise save with the new mechanism
• Possible improvement:
• Copy all values stored by ‘old’ mechanism to the new SSM

67. Shared-
Preferences
SecureStorageM
67
Android KeyStore generated key
AES/GCM/NoPadding
Sensitive data
E53456=ol
Sensitive data
IV

68. SecureStorageM - Improvement
68
• Performance improvement (300 ms → 150 ms)
o No symmetric key wrapping with asymmetric key
o One time over bridge per operation
• Improved behaviour (persistency)
o Before
• LocalStorage → not always persistent
• Possible to lose valuable information

69. 69
SECURITY
Secure Storage

70. Secure Storage
70
• Global static KeychainAccessibility
o Protect data with most strict protection class
• ThisDeviceOnly
• Not always possible because of global static configuration

71. EXTERN
Data Credential
Local
ADB backup
(explicit)
User supplied password
(OpenSSL)
(tested on LG-D802 running
Android 5.0.2)
Only compressed
(to .ab file)
(tested on LG-D802 running
Android 5.0.2)
Cloud
Google
Services
(prior to Android 6)
Plain text
(security of the data depends on the
security of the google account passcode)
Plain text
(Credentials of the
Android OS)
Google
Drive
(Android 6)
Encrypted
71
Security Concern No back-up EncryptedLegend

72. EXTERN
Data Credential
Local
iTunes
backup
remain encrypted
with the device’s
protection class keys
Only non-migratory
keychain items remain
wrapped with the UID-
derived key
Cloud iCloud backup
Backed up in their original encrypted
state ~ Data Protection classes
DP classes not accessible when locked,
per-file-key re-encrypted with key from
iCloud Backup keybag
remain encrypted
with the device’s
protection class keys
Escrow
keybag
System
keybag
Backup
keybag
72
idem
Security Concern EncryptedLegend

73. Security concerns back-up in Cordova
73
• AllowBackup (default true in Android)
o Not specified in Cordova
→ Saving ‘all’ application data
• BackupWebStorage (platforms/ios/cordova/defaults.xml &config.xml)
o Cloud (default)
→ Leakage of sensitive information to cloud-location
→ Limited storage → app can be banned from store
o Local (iTunes backup)
o None

74. 74
SECURITY
BACK-UP
https://github.com/Crypho/cordova-plugin-secure-storage
Secure Storage
Data-in-use

75. 75
SECURITY
BACK-UP

76. 76
SECURITY

77. Key-value storage performance
77
SharedPreferencesNativeStorage (plugin)localStorage NSuserDefaults
Save and retrieve a
string (1000 iterations)
Plists
https://www.npmjs.com/package/cordova-plugin-nativestorage

78. Key-value storage performance
78
GET: <1 ms for all implementations
SET: <1 ms for all implementations, except NativeStorage (1,9 ms)
GET: <1 ms for all implementations, except plist (9,83 ms)
SET: <1 ms for all implementations
Load file as array
Cordova overhead +
asynchronous call-
backs + blocking till
write complete

79. 79
Storing and retrieving file
contents native and
through Cordova
SQLite SQLite
File API (plugin)
https://github.com/apache/cordova-plugin-file
File storage performance
Contribution 3: Performance Analysis

80. 80
File storage performance
0
1000
2000
3000
4000
5000
6000
7000
8000
0 2 4 6 8 10 12
Read/WriteDuration(ms)
Read/Write volume (MB)
Cordova vs iOS (iphone 6 [9.2])
iOS Read
iOS Write
Cordova iOS Read
Cordova iOS Write

81. Why all the overhead?
81

82. Resulting in more memory consumption
82
0
20
40
60
80
100
120
140
160
180
0 5 10 15 20
Memoryusage(Mb)
File (Mb)
Memory Native
Memory Cordova
0
50
100
150
200
250
300
350
400
450
0 2 4 6 8 10
Memoryusage(Mb)
File (Mb)

83. Database performance
83
Store 100 books, request
all books, delete 50
books and finaly request
all books again
SQLiteWebSQLSQLite PluginIndexedDB SQLite

84. 84
SQLite
WebSQL
SQLite Plugin
Duration of
total operation
time
1925 2235 2467(ms)
Database performance

85. 85
SQLite
WebSQL
SQLite Plugin
Duration of
total operation
time
1925 2235 2467(ms)
Database performance
SQLite wrapper

86. Storage strategies in Cordova
86
Storage implementations Android
device
iOS
device
Database
WebSQL ■ ■
IndexedDB  
SQLite (plugin)  
File File API (plugin)  
Variables
LocalStorage  
NativeStorage  
Credentials Secure Storage  
 Not supported
 Supported
■ Deprecated (but supported)

87. NativeStorage
(Plugin)
LocalStorage
(HTML feature)
Supported Types
• Strings
• Booleans
• Numbers
• Objects
• Strings
Guaranteed persistent
storage ?
 1
Platforms
• Android
• iOS
• Browser
• Webview
Supported Framework • Ionic • Ionic
App-private  
NativeStorage
87
[1] W3 Expiring localstorage is well within the definitions of the spec (https://www.w3.org/TR/webstorage/#user-tracking)
iOS WebKit data stored in caches folder → can be cleared by OS (as of iOS 5)

88. Preliminary work
88
• Study (state-of-the-art)
o CPTs (What/Why/How)
o Secure Software
o Encryption mechanisms and
protocols
o Encryption model in iOS and
Android
o Back-up model iOS and Android
o Known Vulnerabilities in Cordova
o Cordova platform
o Cordova plugin development/usage
• Research
o Examine the inner workings of
Cordova platform
o Back-up model Android
• Programming skills
o Cordova CLI
o Javascript
o Objective C (iOS)
o Java (Android)
• Learn to deal with Apple products

89. 89
BACK-UP

90. Web applications and web-to-native wrappers Runtimes and source-code translators
Runtime Environment
OS
Application Code
90
INTRODUCTION
Motivation
Scope
Relevance
Goal
Approach

91. Full Disk Encryption
DEVICE
Data Credential
Private
• Internal Storage
Store private data on the device memory.
• Shared Preferences
Store private primitive data in key-value pairs.
• SQLite Databases
Store structured data in a private database.
KeyStore
Shared
• External Storage
Store public data on the shared external storage.
• SQLite Databases
KeyChain
(owned by system user)
Master-encryption
key
Only decrypted
in TEE
(non
exportable)
Secure World
91

92. File
Protection Classes
Keychain
Protection Classes
DEVICE
Data Class Protection (per file-cred.)
Data Credential
Private
• Property list (plist)
Structured data representation, e.g. XML, binary, ASCII.
• Core Data
Persistence storage of object graph.
• SQLite Databases
Store structured data in a private database.
• User Preferences
Persistence storage of objects in plist.
KeyChain
(can be shared between apps
from the same developer)
thisDeviceOnly
Full Disk Encryption
92

93. • Android
• File System encryption
o hardware-key
o Password
• iOS
• File System Encryption
o hardware-key (UID)
• Data Protection
o hardware-key (UID)
o Password (exc. None
class)
93

94. Mobile Device
Cordova App
Native
Cordova Libs
Plugins
HTML, CSS, JS
(webcontent)
Cordova JS
Libs
WebView
Plugin
JS
Mobile OS
IPC
Malicious software component
(e.g. malicious webcontent)
Malicious CPT components (e.g.
plugins, libraries)
Malicious CPT compilers
94

95. Cordova Bridge
95
addJavaScriptInterface addJavaScriptInterface
URL loading interposition stringByEvaluating
JavaScriptFromStringiframe

96. SecureStorageM – SWOT analysis
96
Internal
Strenghts Weaknesses
AES encryption (128/256 bit) IV plaintext stored, which can be visible and altered
when rooted
Secure Key storage management (Android KeyStore)
Key material never exposed to application process
Integrity check by means of GCM
External
Opportunities Threats
No keylength specification, the length is imposed by
Android, therefore, it can evolve with cryptographic
requirements
Usage of keys possible with root-access and code
execution
Some devices support hardware-backed keys

97. File transfer extension – SWOT analysis
97
Internal
Strenghts Weaknesses
Certificate pinning (on a CA level) If the site rotates its certificate on a regular basis, then
your application would need to be updated regularly
Certificates in app-private and read-only folder What when certificate expires?
External
Opportunities Threats
Based on certificate checking provided by subjacent
platform
Certificate revocation, when lost?
Bypass: Decompile/Patch/Recompile/Resign/Sideload

98. References

99. References
• [1] Android backup service, . URL http://developer.android.com/google/backup/index.html. access
date: 08/03/2016.
• [2] Android debug bridge, . URL http://developer.android.com/tools/help/adb.html.access date:
08/03/2016.
• [3] Data backup, . URL http://developer.android.com/guide/topics/data/backup.html. access date:
08/03/2016.
• [4] Configuring auto backup for apps, . URL
http://developer.android.com/training/backup/autosyncapi.html. access date: 23/02/2016.
• [5] Full disk encryption. URL https://source.android.com/security/encryption/index.html. access
date: 09
• [6] Hardware-backed keystore. URL https://source.android.com/security/keystore/
• index.html. access date: 09/02/2016./02/2016.

100. References
• [7] Security with https and ssl. URL http://developer.android.com/training/articles/security-ssl.htm.
access date: 09/02/2016.
• [8] The apple sandbox. URL https://media.blackhat.com/bh-dc-
11/Blazakis/BlackHat_DC_2011_Blazakis_Apple%20Sandbox-Slides.pdf. access date:
02/04/2016.
• [9] Web sql database, november 2010. URL https://www.w3.org/TR/webdatabase/. accessdate:
11/04/2016.
• [10] Phonegap documentation. docs.phonegap.com/en/edge/, 20115. Accessed: 11/07/2015.
• [11] Phonegap explained visually. http://phonegap.com/2012/05/02/phonegap-
explainedvisually/,Mei 2012. Accessed: 10/07/2015.
• [12] Phonegap, cordova, and what’s in a name? http://phonegap.com/2012/03/19/phonegap-
cordova-and-what%E2%80%99s-in-a-name/, Maart 2012. Accessed:10/07/2015.

101. References
• [13] Cross-platform developer tools 2012: Bridging the worlds of mobile apps and the web,
Februari2012.
• [14] Adobe phonegap build. https://build.phonegap.com, 2013. Accessed:10/07/2015.
• [15] How can html5 compete with native?, September 2013.
• [16] The phonegap developer app. app.phonegap.com, 2015. Accessed11/07/2015.
• [17] Cryptographic key length recommendation, semptember 2015. URL
https://www.keylength.com/en/compare/. access date: 12/04/2016.
• [18] Mobile top 10 2014 https://www.owasp.org/index.php/OWASP_Mobile_Security_Project, Juli
2015. Accessed
• [19] Smartphone os market share, q1 2015. http://www.idc.com/prodserv/smartphone-osmarket-
share.jsp, 2015. Accessed:10/07/2015.
• [20] Android encryption. https://source.android.com/devices/tech/security/encryption/, 2015.
Accessed: 13/08/2015.: 8/07/2015; 12/07/2015; 18/07/2015.

102. References
• [21] Android kernel security. https://source.android.com/devices/tech/security/overview/kernel-
security.html, 2015. Accessed: 13/08/2015.
• [22] Security-enhanced linux in android.
https://source.android.com/devices/tech/security/selinux/index.html, 2015. Accessed: 13/08/2015.
• [23] ios security, ios 8.3 or later, June 2015.
• [24] Ios application security part 20 – local data storage. http://resources.infosecinstitute.com/ios-
application-security-part-20-local-data-storage-nsuserdefaultscoredata-sqlite-plist-files/, 2015.
Accessed: 17/09/2015.
• [25] Sharedpreferences.editor, april 2016. URL
http://developer.android.com/reference/android/content/SharedPreferences.Editor.html. access
date: 05/04/2016.

103. References
• [26] Tim Cooijmans, Joeri de Ruiter, and Erik Poll. Analysis of secure key storage solutions on
android. In Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones&#38;
Mobile Devices, SPSM ’14, pages 11–20, New York, NY, USA, 2014. ACM. ISBN 978-1-4503-
3155-5. doi: 10.1145/2666620.2666627. URL http://doi.acm.org/10.1145/2666620.2666627.
• [27] D. Chell and T. Erasmus, and S. Colley, and O. Whitehouse. The Mobile Appllication:
Hacker’s Handbook. John Wiley & Sons, Inc., 2015.
• [28] Daniel Eggert. Core data overview, september 2013. URL https://www.objc.io/issues/4-core-
data/core-data-overview/. access date: 16/03/2016.
• [29] Nikolay Elenkov. Android Security Internals: An In-Depth Guide to Android’s Security
Architecture. No Starch Press, San Francisco, CA, USA, 1st edition, 2014. ISBN 1593275811,
9781593275815.
• [30] Martin Georgiev, Suman Jana, and Vitaly Shmatikov. Breaking and fixing origin-based access
control in hybrid web/mobile application frameworks. In 21st Annual Network and Distributed
System Security Symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014,
2014. URL http://www.internetsociety.org/doc/breaking-and-fixing-originbased-access-control-hybrid-webmobile-application-frameworks.

104. References
• [31] Xing Jin, Xuchao Hu, Kailiang Ying, Wenliang Du, Heng Yin, and Gautam Nagesh Peri. Code
injection attacks on html5-based mobile apps: Characterization, detection and mitigation. In
Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security,
CCS ’14, pages 66–77, New York, NY, USA, 2014. ACM. ISBN 978-1-4503-2957-6. doi:
10.1145/2660267.2660275. URL http://doi.acm.org/10.1145/2660267.2660275.
• [32] D. Kaplan and R. Hay. Remote exploitation of the cordova framework, 2015.
• [33] Jorn Lapon. X.509 certifcates: A tutorial for android.
• [34] B. LeRoux. Phonegap for engineers, Maart 2011.
• [35] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin. Attacks on webview in the
android system. In Proceedings of the 27th Annual Computer Security Applications Conference,
ACSAC ’11, pages 343–352, New York, NY, USA, 2011. ACM. ISBN 978-1-4503-0672-0. doi:
10.1145/2076732.2076781. URL http://doi.acm.org/10.1145/2076732.2076781.

105. References
• [36] Graeme Mawson. Introduction to custom cordova plugin development, februari 2015. URL
https://blogs.oracle.com/mobile/entry/introduction_to_custom_ cordova_plugin. access date:
02/04/2016.
• [37] Frank Piessens. Developing Secure Software Applications. November 2005.
• [38] T. terada. Whitepaper – attacking android browsers via intent scheme urls, Maart 2014.
• [39] Peter Teufl, Thomas Zefferer, and Christof Stromberger. Mobile device encryption systems. In
28th IFIP TC-11 SEC 2013 International Information Security and Privacy Conference, pages 203
– 216, 2013.
• [40] Peter Teufl, Thomas Zefferer, Christof Stromberger, and Christoph Hechenblaikner. Ios
encryption systems - deploying ios devices in security-critical environments. In SECRYPT, pages
170 – 182, 2013.
• [41] Peter Teufl, Andreas Gregor Fitzek, Daniel Hein, Alexander Marsalek, Alexander Oprisnik,
and Thomas Zefferer. Android encryption systems. In International Conference on Privacy &
Security in Mobile Systems, 2014. in press.

106. References
• [42] Daniel R. Thomas, Alastair R. Beresford, Thomas Coudray, Tom Sutcliffe, and Adrian Taylor.
The lifetime of android api vulnerabilities: case study on the javascript-to-java interface. In
Security Protocols XXIII, Lecture Notes in Computer Science. Springer International Publishing,
2015.
• [43] vision mobile. Cross-platform tools 2015, 2015. URL
http://www.visionmobile.com/product/cross-platform-tools-2015/. access date: 13/04/2016.
• [44] vision mobile. Developer economics state of the developer nation q1 2016, 2016. URL
http://www.visionmobile.com/product/developer-economics-stateof-developer-nation-q1-2016/.
access date: 13/04/2016.
• [45] Michiel Willocx, Jan Vossaert, and Vincent Naessens. A quantitative assessment of
performance in mobile app development tools. In Onur Altintas and Jia Zhang, editors, IEEE MS,
pages 454–461. IEEE, 2015. ISBN 978-1-4673-7284-8. URL
http://dblp.unitrier.de/db/conf/mobserv/mobserv2015.html#WillocxVN15.
• [46] X. Jin, X. Hu, K. Ying, W. Du, H. Yin, and G.N. Peri. Code Injection Attacks on HTML5-based
Mobile Apps: Characterization, Detection and Mitigation, November 2014.