DEV Community

Andreas Bergström
Andreas Bergström

Posted on • Edited on

Rethinking Security: The Need for Cookie Support in Native Mobile Applications

Ah, the digital world - a place where the wolves of the web are always hungry for a byte of our precious data. As developers concoct new recipes to keep our tasty tidbits safe, they've whipped up something scrumptious called HttpOnly cookies, which have become the darling of web application security. But, alas, native apps are left with their noses pressed against the glass, gazing longingly at these delectable security treats. In this blog post, we'll explore the sugar-coated goodness of HttpOnly cookies and the bitter reality faced by native apps in their quest to protect session tokens.

HttpOnly Goodness

Image description

HttpOnly cookies are like the superhero of web application security, swooping in to protect session tokens from the evil clutches of client-side scripts like JavaScript. They're the virtual equivalent of a double-frosted cake with a "Do Not Touch" sign, keeping Cross-Site Scripting (XSS) attacks at bay and preventing them from nibbling away at user accounts.

These nifty cookies reside on the server side, away from prying client-side scripts. The browser dutifully delivers these cookies with each request, but should any mischievous scripts attempt to sneak a peek, they'll be met with a stern "Access Denied."

Native Apps: The Sad Cookies That Aren't Invited to the Party

Unfortunately, native apps find themselves on the outside looking in, with no direct access to the HttpOnly cookie jar. They're left to fend for themselves, cobbling together makeshift security measures like digital scarecrows to protect their session tokens.

Here are some of the not-so-sweet techniques native apps resort to:

Local storage: Like hiding cookies under the mattress, storing session tokens in local storage (e.g., Android's SharedPreferences or iOS's UserDefaults) is a tempting but risky choice. Malicious third-party libraries or sneaky operating systems could pilfer these treats in no time.

Secure storage: More akin to a cookie safe, Android's Keystore and iOS's Keychain offer a more secure storage option. But even these fortified cookie vaults can be cracked by determined adversaries.

Custom encryption: Desperate times call for desperate measures, leading some developers to create their own secret cookie recipes. But encryption is a finicky art, and one wrong ingredient can turn the whole batch sour. Plus, those pesky encryption keys need a safe hiding place too!

The Time for Cookie Solidarity Is Now

With native apps being left out in the cold, it's time for developers, platform providers, and security aficionados to join forces and whip up some new solutions. We need a universal cookie recipe, a glorious creation that can be enjoyed by both web and native apps alike. Or, at the very least, a more robust and secure way to store and protect session tokens.

While web applications are feasting on the sugary goodness of HttpOnly cookies, native apps are left scavenging for crumbs. Developers must put on their aprons and get to work, creating new and delicious ways to keep session tokens safe from the ravenous beasts of the digital realm. So, let us raise our spatulas to a future where web and native apps alike can indulge in the sweet taste of security, and user data can rest easy in the warm embrace of a well-protected cookie.

Top comments (2)

Collapse
 
dimitrisk profile image
DimitrisK

I believe you don't fully understand the notion of HttpOnly cookies in the browser and you are wrong feeling being left out as native app developer. The browser's client script does not have access nor can write to this type of cookies, so the native apps shouldn't obviously have access to HttpOnly cookie jar. Browsers receives from and sends back to the domain upon a client request. I think Android/iOS mobile apps have similar functionality to store server set cookies through cookie store

Collapse
 
andreasbergstrom profile image
Andreas Bergström

Hi! Not sure about pure native Swift/Java apps, but in React Native cookies are officially not stable:
reactnative.dev/docs/network#known...
github.com/facebook/react-native/i...
locastic.com/blog/react-native-coo...