My app requires sensitive and confidential data from users which is then stored locally on the device in a local database. This data is essential and used by my app during a user session but I want it to be deleted before exiting the app to reduce the chance of the data being compromised. While Thunkable offers several ways to store data locally on the device as per the best of my knowledge, all of these methods offer persistent storage. Furthermore, Thunkable does not provide an exit app handler so I am unable to understand how this might be achieved. Can someone help?
I do not know how to do it in Thunkable X, but you can do it in classic. You use a random number generator, and create a unqiue key for each session. All data is encrypted locally. When the session ends, the data is encrypted and not recoverable because of the lost random key. You then check if old data is there and delete it on restarts. Good if the phone crashes or battery dies.
There is no native encryption function I could find in X.
That is an interesting idea for sure but if you wish to access the same data again you need to store and use the same unique key again right? So can someone not just use the unique key from where it is stored and access the encrypted data?
If it is in the same session the key is stored as a variable and the user wont see it.
I know this might sound dumb but I could really use some help here. So are not all the variables in Thunkable persistent- I mean if the phone crashes or dies down, will not the variables still hold the previous values when the app is launched again? If yes, then can the user, and by extension hackers, not access the value of a variable?
No they are not persistent, and in Classic, they do not even pass from screen to screen
I think he just found the solution to his problem, am I right?
It’s a neat solution but I had a few more final questions:
- Since Thunkable X does not have any native encryption function so even after generating the random key, it would be a challenge to encrypt the user data. What alternative would you recommend for that?
- In theory, is this method not foolproof as a brute-force attack might still reveal the actual user data when the right key is tested?
- Not entirely related but is the user data automatically encrypted while it is being transmitted to Firebase for saving or it is something that we need to do ourselves? If yes, then how can I store the encryption key to decrypt the data later?
Thank you @Cian_O_Sullivan for being so proactive in answering my queries!!
- There is no embedded solution in Thunkable X right now.
- Sure you could try to brute force it, but if your randomized the salt and the key, it would take thousands of years to decrypt.
- If the key is in play, it can be decrypted. There is SSL encryption for firebase, and it meets PCI standards (same standards for credit cards), so the data in transit is encrypted. If you want to decrypt the data later, you would need to find a way to store the key in some encrypted manner. But now you are talking about something different then what you originally asked, which was, store on device, and never use again if application closes.
That helps a lot. Thank you!!
What i meant in here is that if you need the value to delete when you close the app you might just use a normal variable, not?
That might be a fair solution in other cases but my app utilizes nearly 150 independent variables when all the screens are considered together so it would be more appropriate to store and retrieve their values from a local database in the best interest of the processing speed and memory usage. But sure a normal variable can be used for other projects!