I've built a mobile app based on Cordova, for both iOS and Android, i need to make secure communication between app and server. Request to server, in javascript, are like this:
request.open("GET", 'http://url/service?firstElement='+elem+'&secondElement='+elem2, false);
I've tried to use RSA encryption generating public and private key locally using pidCrypt libraries, the 2048bits key requires too long time to be generates, so i've used 512bits.
The server is not be able to decrypt the message.
I'm looking for a better solution.
Try Using Send Ajax Request, Like This. I assume that you use php for Dynamic code (Server Side).
Here is Sample of HTML file which presant on your cordova, phonegap directory.
<form method = "post" action = "#!">
<div class="col-md-4">
<span class="help-block">Name</span><input type="text" name="username" class="form-control" />
</div>
<br>
<div class="col-md-4">
<span class="help-block">Password</span><input type="text" name="password" class="form-control" />
</div>
<input type = "submit" value = "Save" class = "btn btn-success right" onClick="UpdateRecord();"/>
</form>
<script>
function UpdateRecord()
{
var name = $("[name='username']").val();
var host = $("[name='password']").val();
jQuery.ajax({
type: "POST",
url: "php/login.php",
/* Or */
/*url: "https://www.yoursite.com/page",*/
data: "username="+ username+"& password="+ password,
dataType: "html",
cache: false,
success: function(response){
if(response == 'true') {
$.session.set("myVar", username);
window.location.href='profile.html';
}
else {
$("#errorMessage").html("Invalid Entry, Please Try Again");
}
}
});
}
</script>
And PHP File for Handle Query.
Please Not that code is not tested and it may change as per your need. You can perform any encryption method and use any function here.
<?php
include 'config.php';
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
if(!empty($username) && !empty($password))
{
//$result = mysql_query("SELECT * FROM ".$db.".users WHERE username='$username' and password ='$password'");
$result=mysql_query("select * from ".$db.".users WHERE email = '$username' ");
while($data = mysql_fetch_row($result))
{
$original_password = $data[3];
$salt = $data[4];
$hashedPass = sha1($salt.$password);
$fullusername = $data[16]." ".$data[17]; // Used Only for create full name session
if ($original_password == $hashedPass)
{
$_SESSION['username'] = $fullusername;
$_SESSION['useremail'] = $username;
$_SESSION['UserID'] = $data[0];
echo 'true';
}
}
}
?>
Edit
request.open("GET", 'http://url/service?firstElement='+elem+'&secondElement='+elem2, false);
Avoid to use GET method while sending sensitive data.
Edit, Helpful Link
Local storage protection in phonegap application