Skip to main content

Secure Storage

Ionic Secure Storage is a cross-platform local database system for high performance, secure data storage on iOS and Android. It provides full SQL query and relational data support through SQLite, as well as key/value support for simpler use cases when used with the Ionic Storage utility library. Full encryption support (using 256-bit AES) is provided out of the box for security sensitive applications.

Don't have a Secure Storage subscription? Try it free now.

 

While Ionic Secure Storage is only available on iOS and Android, support for web storage is available when used in key/value mode in tandem with the Ionic Storage utility library, which will fall back to a web-friendly storage mechanism when running in a non-native browser environment.

Secure Storage is built and supported by the Ionic team, and includes ongoing maintenance, security patches, and new features.

Why Secure Storage?#

Most apps need to store data on the device, but there are a lot of choices for data storage. Secure Storage is a fast and easy way to incorporate secure, reliable, high performance data access in your app. Secure Storage's fully managed solution offers the following benefits:

Quick and easy deployment: Save days or weeks of development time with a pre-built storage solution. With zero configuration, it's ready to deploy in minutes. Once deployed, leave maintenance and stability concerns to Ionic’s team of mobile security professionals and get back to focusing on your app's core features.

On-device data encryption: Sensitive data is protected and kept securely on the device with 256-bit AES full database encryption. The powerful operating system-level security follows Apple and Google’s best practices. When paired with Identity Vault, secure and access data using the app user's biometrics (fingerprint scan and facial recognition).

Offline-ready: Since Secure Storage is capable of storing large amounts of data, your mobile apps always work and are always responsive – regardless of network connection.Data is stored on the local filesystem – outside the browser environment – and can be managed independently of the Ionic Secure Storage solution.

How It Works#

SQLite is the most popular storage engine for mobile apps, by far, so it's a key part of the Secure Storage solution. Since it's a single file on the filesystem, it's easy to work with and move around (you can edit the database file using DB Browser for SQLite, for example).

SQLite also offers transaction protection. Its serializable transactions are atomic, consistent, isolated, and durable (ACID). Thus, all changes within a single transaction in Secure Storage either occur completely or not at all, even if the act of writing the change out to the disk is interrupted by a program crash, an operating system crash, or a power failure.

When you create (or initialize) the SQLite database, you specify the encryption key using the key parameter. With that set, all newly created data is encrypted automatically using 256-bit AES encryption.

const db = await this.sqlite.create({
name: "mydb",
location: "default",
// Key/Password used to encrypt the database
// Strongly recommended to use Identity Vault to manage this
key: "password"
});
// Data inserted into software table is automatically encrypted
this.database.transaction((tx) => {
tx.executeSql("INSERT INTO software (name, company, type, version) VALUES (?,?,?,?)",
[ "secure-storage", "ionic", "native", "2.0"], (tx, result) => { });
});

Note: Encryption Key Management#

Before you use Secure Storage, you need to figure out how you will manage your encryption key. Typically, managing encryption keys on the client can be incredibly challenging to get right.

Thankfully, by using Identity Vault in tandem with Ionic Secure Storage, teams can securely manage encryption keys to support online and offline use cases using the full security features available on modern mobile devices and operating systems.

If you choose to roll your own method of key management, be aware that, just like rolling your own encryption, there are many pitfalls to client-side key management that may defeat your encryption efforts. Some of those pitfalls include lack of integration with secure enclave device hardware, incorrect management of biometric credentials resulting in users accessing sensitive values from other users, and data exposure if a device is jailbroken or lost/stolen. Because of these challenges we strongly recommend against rolling your own key management system and recommend using Identity Vault instead.

Reference Apps#

While implementing Secure Storage, refer to these reference apps for examples showcasing data encryption.