[Feature]: Allow encrypting cookies before storing them

[flgubler-ergon]

Description

Storing cookies in encrypted format

Platforms

• iOS
• Android
• Web

Request or proposed solution

The CapacitorCookies plugin (CapacitorCookieManager) on Android stores the cookies in an sqlite database in the app's data folder: /data/data/[bundle-identifier]/app_webview/Default/Cookies.

While this approach protects the cookies against most apps, it is vulnerable in the context of a rooted device. With root present, a malicious app could easily read these cookies which may e.g. contain the session-cookie. Thereby an authenticated session could be stolen.

It would therefore be great to have the option to configure the plugin to encrypt the cookies before storing them in this sqlite database. The symmetric-key used for encryption and decryption could itself be stored in the Android Keystore.

Alternatives

If it were possible to specifically override the default-implementation of the CapacitorCookieManager (without forking the project), this would give developers the flexibility required to implement such encryption logic themselves.

Additional Information

This feature request is based on a penetration-testing report which only indicated the vulnerability for Android. I am not familiar with the iOS implementation.