Cordova/Phonegap: RefreshToken in localstorage

Well, according to PhoneGap/Cordova security guide it seems that localstorage is not recommend to store sensitive data. So what you can do?

Well, here are two options I think you can use.

1- Encrypt the refresh token and store it encrypted in the localstorage. You can use CryptoJS (a JS library to encrypt/decrypt the data) to encrypt your token using AES (see this example) and it also has an angularjs module

2- You can store your refresh token on the device/phone file system using the Cordova File APIs. For extra level of security you can encrypt the data and store it on the device file system. Note on android you will be limited to AES 128 bit key size but using some third party plugin you can increase it to 256.


Actually Phonegap apps are not really "all native". Only system functionalities (like file access, camera access, etc.) are translated to their Java counter-parts. It still uses a webview and a lot of javascript to implement the application business logic.

So, answering your question, the local storage issue is still a valid concern as it is a feature of the Web View component used by these frameworks (PhoneGap, Cordova, Ionic and the like) to make the UI.

Additionaly, all those requests that carry identification/secret elements (Session ID, Refresh Token, etc.) should be made through HTTPS, preventing malicious observers from knowing their values.

The HttpOnly flag marked in your cookie only prevents the value from being manipulated through JavaScript. Therefore, you should also add the Secure flag to those cookies, to avoid sending them through not encrypted connections.

And Please, if you use encrypted connections, do not make it accept any certificate. Be sure to verify correctly the validness of the cert provided by the server.

Instead of disabling the check or making it return 'true' for any certificate, the secure solution to self-signed certificates is pinning the one you generated or adding the CA used to create your certificate to the list of trusted CA's.

To help you further in your quest for securing your mobile app comunication:

OWASP document explaining Certificate Pinning
Page talking about the pros and cons and providing links and an example
SE question about Certificate Pinning

Edit:
From what i could understand, this is an incorrect behavior created by the framework implementation. Long answer short: "It should be possible, but we screwed things up." I tried developing test apps for phonegap, but found (implementation) errors like this one that made me give up and come back to native Android. That said, i would like you to please upvote my answer back to zero, as it should be right because your application is not native as you said, but unfortunately wasn't able to solve the problem because of phonegap's way of doing things.