App Security API

The App Security API is a collection of JavaScript API for Hybrid HTML5 application developers. It enables developers, even those who are not security experts, to take advantage of the security properties and capabilities supported by the platform.

The API collection is available to developers in the form of a Cordova plugin (JavaScript API and middleware), or as a Crosswalk extension for Windows* desktop. The API collection is supported on the following operating systems:

  • Android*
  • iOS*
  • Windows* MUI 8/8.1/10
  • Windows* desktop

This version of the App Security API introduces three major scopes: secure data (data-in-use), secure storage (data-at-rest) and secure transport (data-in-move). It is primarily an introduction of the concept and the delivery of this new API collection with the Intel® XDK (http://xdk-software.intel.com/) , a Cordova plugin (https://github.com/01org/AppSecurityApi), or a Crosswalk extension (https://github.com/01org/AppSecurityApi/tree/master/windows_crosswalk). You can start to build applications with the App Security API plugin, learn about the API collection using this documentation and the sample applications (https://software.intel.com/en-us/html5/articles/my-private-notes-sample and https://software.intel.com/en-us/xdk/article/my-private-photos-sample), and try to integrate the App Security API plugin in your applications.

You can use these API anywhere in the application. Here are several usage examples

  • A game keeps a score for a player. Suppose players get credits and promotions based on their score. You can maintain the score as secure data while the game is being played and save it as secure storage when the game is closed.
  • A personal note application stores all data on the web. To improve performance, while maintaining confidentiality, you can download the data (requested by the user) from the web and cache it using secure storage on the device. Next time it is used, the application can read it from the device and does not need to access the web.
  • An application uses access and authentication to a cloud backend. To keep the communication alive it uses a token that was created by the backend. The application can cache the token  using secure storage, and send the token securely to the backend using secure transport.

The API are grouped in ‘mega-functions’ (namespace), each mega-function includes a collection of API within the scope of functionality. This version of the App Security API is primarily targeting the introduction of the new API, you can take advantage of capabilities that are on par with the capabilities of the platform and operating system. The API is built in a way that can be extended, while maintaining a solid API layer. Future extensions may include:

  • Improved security of the middleware implementation, using hardware technologies and advanced software techniques.
  • Wider scope of API, adding mega-functions, such as secure identity, or secure input/output.

Mega Functions:

  • Secure Data
    Collection of API that provide data in-use protection and data sealing support. Enables creating, managing and using a data stream object in memory. Access to this object is done via an instance ID. Sensitive object properties and sensitive content are hidden.

  • Secure Storage
    Collection of API that provide data at-rest protection. Enables storing and retrieving data objects using non-volatile storage.

  • Secure Transport
    Collection of API that provide client-server HTTPS communication enhanced protection. Enables sending secure data elements within regular data to trusted remote servers.

Data Structures:

FAQs:

Code snippets:

Usage examples:

  • Protect connection tokens, to address ‘Man in the Cloud’ attacks.
    Use Secure Data API to protect the confidentiality of the authentication token in memory.

  • Secure your locally cached data with low-level cryptography protections.
    Use Secure Storage API to protect the data saved on the device.

  • Use secure connection and data sealing to protect your data when using cloud storage.
    Use Secure Transport and Secure Data API to connect and store data on cloud.

For more complete information about compiler optimizations, see our Optimization Notice.