7
Views
5
Comments
Solved
User Credentials Storage for Mobile App
Application Type
Mobile

At my company, we have a security requirement to clean our tablet/mobile devices after a 60 minute idle period for Cyber Security protection.  We use a product called DataSweeper that will run over a tablet/mobile device if it has been idle for 60 minutes cleaning up the apps data and cache.  When this happens, the user of our application is logged out and has to log back in to the app. We have an exception in place for the mobile app space and that works for the app, but not the user logged in. This is becoming frustrating for our users and user base because they do not always have connectivity and to log back into the app, they have to get to Wi-Fi coverage to get back in and continue the work.   

What we are trying to understand is:

1. Were is the user credentials stored on the device? This will help us determine if we can get an exception so the user stays logged in.

2. Can the credentials be moved to the same application space as the app on the device so the exception works for app data and user credentials?

We have tested the application without the Cyber Security requirement of DataSweeper and the user can use the app in offline mode without issue of getting logged out of the app.

Rank: #171
Solution

Hi Jeremy,

The user credentials aren't stored in the phone as a username and password, because this would be a security problem.

When you login you create a session, and this session data, if I'm not mistaken, is stored in cordava's browser cookies.

See this docs to learn more about it.

Normally you can set the duration that this cookie will be valid, without needing to go to the server and do login again. But since you are wiping the cache of the app, you are destroying the session and this way you are forcing the users to do login again.


Of course you could store the credentials customizing your login flow, but is is not recommended in any way,


Hope it helps,

Cheers and Regards

RR :)

Rank: #21179

Is there a way to move the auth cookies to within the application space?  

We found out that the tool DataSweeper is unable to create exceptions for specific items within an app.  So for the web browser it would clear all of the app and not be able to leave the token cookies. So it doesn't seem like it is going to help us unless we can move those tokens to the app container so the exception works for our scenario.

Thoughts?