parent f0f6c7c

author Nicolas Gimenez <[email protected]> 1716205204 +0200
committer Nicolas Gimenez <[email protected]> 1728301787 +0200
gpgsig -----BEGIN SSH SIGNATURE-----
 U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAg9OUtNQdUox99iVfbkCzO9VDkTr
 FxtJweIm9OTf+NYj8AAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
 AAAAQL3zRS6B+Lf6sF+My28t69cngeIuG+1TVJAKYt46zS4TunA59HmlzD8gpX0MZwgDgY
 yLPysQysIVIFAqC51pWwY=
 -----END SSH SIGNATURE-----

parent f0f6c7c
author Nicolas Gimenez <[email protected]> 1716205204 +0200
committer Nicolas Gimenez <[email protected]> 1728301766 +0200
gpgsig -----BEGIN SSH SIGNATURE-----
 U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAg9OUtNQdUox99iVfbkCzO9VDkTr
 FxtJweIm9OTf+NYj8AAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
 AAAAQOpFDlBkZ35f2aMTGS1xfPrP9bDa2Khsx9xTtDUyVY3dTVQwA+0MmHUzpdxHI6Eg9J
 dfm+GM3iryPPWy+q6wfgo=
 -----END SSH SIGNATURE-----

parent f0f6c7c
author Nicolas Gimenez <[email protected]> 1716205204 +0200
committer Nicolas Gimenez <[email protected]> 1728301715 +0200
gpgsig -----BEGIN SSH SIGNATURE-----
 U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAg9OUtNQdUox99iVfbkCzO9VDkTr
 FxtJweIm9OTf+NYj8AAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
 AAAAQJuJqjR2T8ohMmEL7bMaBj8COBMnJ+cKmeNHPI5eq6379uXZYKvcnzMNIvgcsyRWHC
 8qJzstNc+rU74BHLXlOQE=
 -----END SSH SIGNATURE-----

parent f0f6c7c
author Nicolas Gimenez <[email protected]> 1716205204 +0200
committer Nicolas Gimenez <[email protected]> 1728301654 +0200
gpgsig -----BEGIN SSH SIGNATURE-----
 U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAg9OUtNQdUox99iVfbkCzO9VDkTr
 FxtJweIm9OTf+NYj8AAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
 AAAAQAZxCVsneUK/IIHZ1FraPTuX8bBlY6tw2zL/r84tLuVNaTzj3gsqj47kOJskAI2NrJ
 1TEx/Pi66CNPcI4RTuJQk=
 -----END SSH SIGNATURE-----

parent f0f6c7c
author Nicolas Gimenez <[email protected]> 1716205204 +0200
committer Nicolas Gimenez <[email protected]> 1728301613 +0200
gpgsig -----BEGIN SSH SIGNATURE-----
 U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAg9OUtNQdUox99iVfbkCzO9VDkTr
 FxtJweIm9OTf+NYj8AAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
 AAAAQL0i1xgDTUnc0Gp+Rk5waVbS3sm67IYMWz9yas/J9dXuJQUCuSsi/l+R+zD17EusHS
 KN70kFC9UvnHwdu+uEHQU=
 -----END SSH SIGNATURE-----

feat(android): enforce biometrics or device credentials to use key for 15min

feat(android): enforce biometrics or device credentials to use key for 15min

fix: ...

fix: access public

fix: test 30sec

chore: linting

fix(android): 15min unlock

chore: auto lint

chore: license

feat: handle error

fix: interface

Author: nicobao

.gitignore

@@ -65,3 +65,7 @@ captures/
 *.xcworkspace
 
 .eslintcache
+
+android/.settings/org.eclipse.buildship.core.prefs
+android/.project
+android/.classpath

LICENSE

@@ -1,22 +1,24 @@
-Copyright 2020-present Aparajita Fishman
-
-MIT License
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+BSD-2-Clause Plus Patent
+
+Note: This license is designed to provide: a) a simple permissive license; b) that is compatible with the GNU General Public License (GPL), version 2; and c) which also has an express patent grant included.
+
+Copyright (c) 2024, ZKorum SAS.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+Subject to the terms and conditions of this license, each copyright holder and contributor hereby grants to those receiving rights under this license a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except for failure to satisfy the conditions of this license) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer this software, where such license applies only to those patent claims, already acquired or hereafter acquired, licensable by such copyright holder or contributor that are necessarily infringed by:
+
+(a) their Contribution(s) (the licensed copyrights of copyright holders and non-copyrightable additions of contributors, in source or binary form) alone; or
+
+(b) combination of their Contribution(s) with the work of authorship to which such Contribution(s) was added by such copyright holder or contributor, if, at the time the Contribution is added, such addition causes such combination to be necessarily infringed. The patent license shall not apply to any other combinations which include the Contribution.
+
+Except as expressly stated above, no rights or licenses from any copyright holder or contributor is granted under this license, whether expressly, by implication, estoppel or otherwise.
+
+DISCLAIMER
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+

LICENSE_ORIGINAL

@@ -0,0 +1,22 @@
+Copyright 2020-present Aparajita Fishman
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -1,5 +1,13 @@
 <div class="markdown-body">
 
+Modified version to ensure access to secure storage must use biometrics or device credential every 15 minutes.
+
+Original project: https://github.com/aparajita/capacitor-secure-storage
+
+Original License: [MIT](./LICENSE_ORIGINAL).
+
+Our changes are licensed under [BSD-2-Clause-Patent](./LICENSE).
+
 # capacitor-secure-storage
 
 This plugin for [Capacitor 6+](https://capacitorjs.com) provides secure key/value storage on iOS and Android. It was originally designed to be a companion to [@aparajita/capacitor-biometric-auth](https://github.com/aparajita/capacitor-biometric-auth/#readme) in order to securely store login credentials, but can be used to store any JSON data types.

android/build.gradle

@@ -18,7 +18,7 @@ android {
     namespace "com.aparajita.capacitor.securestorage"
     compileSdk project.hasProperty('compileSdkVersion') ? rootProject.ext.compileSdkVersion : 34
     defaultConfig {
-        minSdkVersion project.hasProperty('minSdkVersion') ? rootProject.ext.minSdkVersion : 22
+        minSdkVersion project.hasProperty('minSdkVersion') ? rootProject.ext.minSdkVersion : 23
         targetSdkVersion project.hasProperty('targetSdkVersion') ? rootProject.ext.targetSdkVersion : 34
         versionCode 1
         versionName "1.0"

android/src/main/java/com/aparajita/capacitor/securestorage/KeyStoreException.java

@@ -17,6 +17,11 @@ public class KeyStoreException extends Throwable {
     );
     errorMap.put(ErrorKind.osError, "An OS error occurred (%s)");
     errorMap.put(ErrorKind.unknownError, "An unknown error occurred: %s");
+    errorMap.put(
+      ErrorKind.secureLockScreenDisabled,
+      "Secure lock screen is disabled"
+    );
+    errorMap.put(ErrorKind.userNotAuthenticated, "User is not authenticated");
   }
 
   private String message = "";
@@ -48,7 +53,10 @@ void init(ErrorKind kind, @Nullable Throwable osException) {
 
     if (message != null) {
       switch (kind) {
-        case osError, unknownError -> {
+        case osError,
+          unknownError,
+          secureLockScreenDisabled,
+          userNotAuthenticated -> {
           if (osException != null) {
             this.message = String.format(
               message,
@@ -80,5 +88,7 @@ public enum ErrorKind {
     invalidData,
     osError,
     unknownError,
+    secureLockScreenDisabled,
+    userNotAuthenticated,
   }
 }

android/src/main/java/com/aparajita/capacitor/securestorage/SecureStorage.java

@@ -4,6 +4,7 @@
 import android.content.SharedPreferences;
 import android.security.keystore.KeyGenParameterSpec;
 import android.security.keystore.KeyProperties;
+import android.security.keystore.UserNotAuthenticatedException;
 import android.util.Base64;
 import com.getcapacitor.JSObject;
 import com.getcapacitor.Plugin;
@@ -13,6 +14,7 @@
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.security.GeneralSecurityException;
+import java.security.InvalidAlgorithmParameterException;
 import java.security.KeyStore;
 import java.security.UnrecoverableKeyException;
 import java.security.spec.AlgorithmParameterSpec;
@@ -201,6 +203,17 @@ private void tryStorageOp(PluginCall call, StorageOp op) {
       return;
     } catch (KeyStoreException e) {
       exception = e;
+    } catch (InvalidAlgorithmParameterException e) {
+      // java.lang.IllegalStateException: Secure lock screen must be enabled to create keys requiring user authentication
+      exception = new KeyStoreException(
+        KeyStoreException.ErrorKind.secureLockScreenDisabled,
+        e
+      );
+    } catch (UserNotAuthenticatedException e) {
+      exception = new KeyStoreException(
+        KeyStoreException.ErrorKind.userNotAuthenticated,
+        e
+      );
     } catch (GeneralSecurityException | IOException e) {
       exception = new KeyStoreException(KeyStoreException.ErrorKind.osError, e);
     } catch (Exception e) {
@@ -237,7 +250,8 @@ private String getDataParam(PluginCall call) {
 
   private String encryptString(String str, String prefixedKey)
     throws GeneralSecurityException, IOException {
-    // Code taken from https://medium.com/@josiassena/using-the-android-keystore-system-to-store-sensitive-information-3a56175a454b
+    // Code taken from
+    // https://medium.com/@josiassena/using-the-android-keystore-system-to-store-sensitive-information-3a56175a454b
     Cipher cipher = Cipher.getInstance(CIPHER_TRANSFORMATION);
     cipher.init(Cipher.ENCRYPT_MODE, getSecretKey(prefixedKey));
 
@@ -254,8 +268,8 @@ private String encryptString(String str, String prefixedKey)
 
   private String decryptString(String ciphertext, String prefixedKey)
     throws GeneralSecurityException, IOException, KeyStoreException {
-    // Code taken from https://medium.com/@josiassena/using-the-android-keystore-system-to-store-sensitive-information-3a56175a454b
-
+    // Code taken from
+    // https://medium.com/@josiassena/using-the-android-keystore-system-to-store-sensitive-information-3a56175a454b
     // Split the ciphertext into data + IV
     String[] parts = ciphertext.split(DATA_IV_SEPARATOR.toString());
 
@@ -310,6 +324,12 @@ private SecretKey getSecretKey(String prefixedKey)
       );
       AlgorithmParameterSpec spec = builder
         .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
+        .setUserAuthenticationRequired(true)
+        .setUserAuthenticationParameters(
+          15 * 60,
+          KeyProperties.AUTH_BIOMETRIC_STRONG |
+          KeyProperties.AUTH_DEVICE_CREDENTIAL
+        )
         .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
         .build();
       keyGenerator.init(spec);

package.json

@@ -1,5 +1,5 @@
 {
-  "name": "@aparajita/capacitor-secure-storage",
+  "name": "@zkorum/capacitor-secure-storage",
   "version": "6.0.1",
   "description": "Capacitor 5+ plugin that provides secure storage for the iOS and Android",
   "author": "Aparajita Fishman",
@@ -38,7 +38,7 @@
     "verify": "pnpm verify.ios && pnpm verify.android",
     "prerelease": "scripts/ensure-clean.sh && pnpm build",
     "release.preview": "commit-and-tag-version --dry-run",
-    "release": "commit-and-tag-version --commit-all && git push --follow-tags && pnpm publish"
+    "release": "commit-and-tag-version --commit-all && git push --follow-tags && pnpm publish --access public"
   },
   "commit-and-tag-version": {
     "scripts": {

src/definitions.ts

@@ -26,6 +26,15 @@ export enum StorageErrorType {
    * An unclassified system-level error occurred.
    */
   unknownError = 'unknownError',
+  /**
+   * Secure lock screen must be enabled to create keys requiring user authentication
+   * */
+
+  secureLockScreenDisabled = 'secureLockScreenDisabled',
+  /**
+   * User must be authenticated to access the secure storage
+   * */
+  userNotAuthenticated = 'userNotAuthenticated',
 }
 
 /**