The Ionic JS SDK documentation mentions that the postMessage API is used to communicate with an iframe running core SDK code. Device profiles are kept in localStorage scoped to the origin of the iframe.
What prevents the SDK JS code (and subsequent iframe) from being loaded on a malicious site and used to access the profiles a user has created to encrypt/decrypt data?
To create a new device profile, applications should call the
enrollUserfunction; see: https://api.ionic.com/jssdk/latest/Docs/tutorial-device_enrollment.htmlFrom the docs
So the profile is stored encrypted. The profiles are also stored nested and namespaced by origin, appid, and userId, like this (see the
queryProfilesfunction inProfileManager.js):Note that the
origininformation is pulled from thepostMessageevent object received by the sdk core code running inside the iframe.The
loadUserfunction accepts the same params asenrollUserand performs the reverse operation, loading a profile from localStorage and decrypting it.So in summary
An application must have access to the same
appId,userId, anduserAuthvalues and be running on the sameoriginto gain access to a profile created by another application.In practice
appIdis hardcoded for a give application (i.e. in the js/html)userIdanduserAuthare stored on the application user's session object. These values can either be fetched via an ajax request to the application's origin server or written into the application html. This is similar to normal handling practices for CSRF tokens.