I'm creating a Phonegap application which needs to allow a user to log into our Central Authentication Service.
My concern is that, since the files on the Phone are being loaded locally (via file://), there isn't security like there would be over an HTTPS connection. If I pass the username and password to an HTTPS location on our server, the request would not be secured even though the response would be.
I do not want to use a ChildBrowser plugin for the login because there doesn't appear to be any kind of event bubbling that would tell me when the login process has finished, and because not all platforms support the ChildBrowser plugin.
It looked as though it might be reasonable to use asymmetric encryption to encrypt the username/password combination with a public key and decrypt it on the server with a private key. I can't seem to get any javascript RSA libraries to play nice with Java on the backend, though.
Does asymmetric encryption seem decent for this case of protecting a user's password in a Phonegap application? Is there a better solution?
How would one get this working with Javascript -> Java? I've been using the ohdave.com/RSA scripts on the client side, but Java doesn't want to recreate a key using ohdave's generated keys.
Any help is appreciated.
I have since learned that requesting the authentication webservice via HTTPS will initiate a handshake that will allow the credentials to be encrypted with the SSL certificate.
As far as storing the credentials on the phone, here's how I'm doing it: