Back to General - Yahoo! TV Widgets Forum
0

Persistent Storage Security

I need to store user login credentials, with the intention that they will be shared across several of our upcoming applications.

I am planning on using currentProfileData to allow this.

From my understanding, anything stored in currentProfileData can be read by any widgets, which could potentially create a security issue of other widgets viewing the credentials.

What are my options for sharing credentials, but limiting it to only our applications? I was planning on a JS TEA Encryption Algorithm (http://www.movable-type.co.uk/scripts/tea-block.html) to encrypt the credentials. Any additional options?

Also, if I call:

CODE
currentProfileData.set('credentials', credentials);


and some other app does the same, then my credentials could be overwritten. Is there a suggested practice, as far as creating a namespace for our profile data specific to our apps?

I'm assuming I would just create one object/map that I store using currentProfileData, and use a reverse domain notation, or something like that. For example:

CODE
currentProfileData.set('companyNameSpace', "{ "credentials" : ... }");


Thanks

by
Report Abuse
5 Replies
  • You are incorrect in your assumption that all information is share in the currentProfileData between applications. The information is specific to the application that is pulling the data from storage.

    As simple test to see:
    1) copy the current widget you are testing and change the folder and Widget ID
    2) update the simulator
    3) enter a value in application 1 and save the data, then close the simulator
    4) start the simulator and open application 1 to make sure that your information is available
    5) open the copied application and you will see the information is not saved

    I would be a huge security flaw if every application could access information from all the other applications, but this is not the case.
    Report Abuse
    0
  • QUOTE (WidgetRealm @ Apr 8 2011, 09:20 AM) <{POST_SNAPBACK}>
    You are incorrect in your assumption that all information is share in the currentProfileData between applications. The information is specific to the application that is pulling the data from storage.

    [snip]

    I would be a huge security flaw if every application could access information from all the other applications, but this is not the case.

    Actually, you're incorrect. Read Chapter 11. Persistent Storage

    QUOTE
    This data is private for a profile, but available to all widgets and can be overwritten by another widget if the same access key is used.


    Explain to me why that would be a security flaw? What if I did not want to store something confidential? What is the security flaw in that?
    Report Abuse
    0
  • QUOTE (Steve @ Apr 8 2011, 09:44 AM) <{POST_SNAPBACK}>
    Actually, you're incorrect. Read Chapter 11. Persistent Storage

    Explain to me why that would be a security flaw? What if I did not want to store something confidential? What is the security flaw in that?

    You are correct. I was referencing "currentAppConfig". :bIt would be a security flaw of the config for an application was accessible via other applications.
    Report Abuse
    0
  • QUOTE (Steve @ Apr 8 2011, 07:07 AM) <{POST_SNAPBACK}>
    I need to store user login credentials, with the intention that they will be shared across several of our upcoming applications.

    I am planning on using currentProfileData to allow this.

    From my understanding, anything stored in currentProfileData can be read by any widgets, which could potentially create a security issue of other widgets viewing the credentials.

    What are my options for sharing credentials, but limiting it to only our applications? I was planning on a JS TEA Encryption Algorithm (http://www.movable-type.co.uk/scripts/tea-block.html) to encrypt the credentials. Any additional options?

    Also, if I call:

    CODE
    currentProfileData.set('credentials', credentials);


    and some other app does the same, then my credentials could be overwritten. Is there a suggested practice, as far as creating a namespace for our profile data specific to our apps?

    I'm assuming I would just create one object/map that I store using currentProfileData, and use a reverse domain notation, or something like that. For example:

    CODE
    currentProfileData.set('companyNameSpace', "{ "credentials" : ... }");


    Thanks

    Currently, there's no model for this. In lieu of it, I think your idea to store an object with a reverse domain notation key would make the chances of it being overwritten unlikely.
    Report Abuse
    0
  • QUOTE (Benjamin Toll @ Apr 9 2011, 10:30 AM) <{POST_SNAPBACK}>
    Currently, there's no model for this. In lieu of it, I think your idea to store an object with a reverse domain notation key would make the chances of it being overwritten unlikely.

    Ok, thanks.
    Report Abuse
    0
Ask a Question

Recent Posts

in General - Yahoo! TV Widgets