View Full Version : Mobile page - where to keep very private data?

02-17-2011, 09:12 AM

I'm developing mobile website and I have one problem with security some of data.

First time the user browse my site, the page requests a server to get some private user's data (i.e. RSA private key) which is used in future operations. This private key must be stored somewhere in local device memory (as a file on device, browser cache...).
Next time when the same user launches the page (some functionality on page), the page has to load the file from local data when needed and use it (i.e. encrypt some string with private key).

The problem is where to store this key and how to read it?

First, I thought about cookies. But the cookie will be sent with all requests, so doing it with private key IMHO is not a good idea.
The connection of course will be via SSL, but even that I don't want to send private key to server (it has to be as secure as possible!).
So, how to solve to problem...?

I can add, it's not necessary to get the private key from server. It can be load as a file to device via its file manager or something like that. Simply - the browser has to read the private key when it will be needed and use it. I don't think that browser allows to save/read file from JavaScript, am I right?

Solution of the problem must work on most of available devices and browser nowadays (especially iPhone, Android, Symbian + Opera Mobile(/Mini?).

Maybe HTML5 and its 'localStorage' could solve it but I have to assume, I CAN'T use HMTL5 with all its features.
I consider using jQueryMobile framework.

Please, help! Thanks in advance!!


02-17-2011, 11:32 AM
I can add, it's not necessary to get the private key from server.
Yes, I know. The private key doesn't have to be transfer. But the key has to be load somehow to device. The problem is how to get the key from device to use it browser (from encrypt some data).