Safeguarding Your Data in React Native: Secure Storage Solutions
While there are multiple options when it comes to choosing a library that implements secure storage in React Native, it is crucial to ensure that the data are stored properly and ideally without any known vulnerabilities. At Talsec, we made an effort to go through the most popular packages, so you can get an image of what is on offer.
This article assumes you are familiar with:
How data storage works on native platforms
How to approach secure storage challenges?
Recently, the Talsec team started to support React Native by providing the freeRASP and RASP+ SDKs. We are currently exploring ways how we could go even further and are considering to add a secure storage solution that would follow the latest security standards. In order to proceed, we evaluated the existing secure storage options within React Native and seek input from the community to understand your expectations regarding this feature.
We would love to share our findings so far with a brief description of various secure storage packages available for React Native, along with their benefits and potential vulnerabilities:
✅ Pros: This is a popular package that securely stores sensitive information using the Keychain on iOS and the Keystore on Android. It encrypts data and provides secure storage for confidential data.
⛔️ Cons: While react-native-keychain provides secure storage, it is not immune to all vulnerabilities. The package stores sensitive information, e.g. username and password in clear text in the keychain file, and you can find several concerning issues that are open on GitHub, mentioning that the data from iOS keychain can be retrieved. On top of that, it can only store username/password combination.
✅ Pros: react-native-encrypted-storage is another third-party library that offers secure storage for sensitive data. It uses EncryptedSharedPreferences on Android and Keychain on iOS, encrypts data using AES-256 encryption, providing an extra layer of security.
⛔️ Cons: There are some memory leaks detected by Xcode profiler and Keychain is not cleared when your app is uninstalled on iOS — this issue, however, is well documented and can be fixed.
✅ Pros: rn-secure-storage encrypts data using AES-256 encryption and securely stores it on the device. Plus, it can store any [key, value] pair.
⛔️ Cons: The implementation uses secure-preferences package to store the data, which is nowadays deprecated and it is encouraged to use EncryptedSharedPreferences from androidx.security instead.
Okay, this package doesn’t implement any kind of secure storage and is not intended to store any sensitive data. However, it is still a popular solution for data storage in React Native, prompting us to mention it in this article as well.
✅ Pros: Offers a simple asynchronous storage. It is built on top of the original React Native’s AsyncStorage and provides a convenient API for storing and retrieving data.
⛔️ Cons: The package requires devs to handle encryption of the data on their own, as it stores data in plain text, making it vulnerable to unauthorized access if the device is compromised. We would suggest to avoid using AsyncStorage for sensitive information like passwords or authentication tokens.
Problems with Hardware-Backed Keystores
Although many devices offer hardware-backed keystores, there is a significant number that lacks it. Moreover, certain devices, particularly those running on Android, face challenges with hardware-backed keystores due to manufacturer-provided software. These implementations either fail to function properly or resort to software-backed alternatives. I suggest checking out the list of public resources related to Trusted Execution Environment (TEE). This resource compilation provides valuable information on reverse-engineering techniques and strategies for achieving trusted code execution on ARM devices.
Another important consideration is that although hardware-backed keystores may provide better protection against key extraction, they are still susceptible to runtime attacks, just like software-backed keystores. During runtime, attackers can still access encrypted data stored in the keystore using rooted devices, a repackaged or tampered app, or hooking frameworks.
Therefore, we have concluded that the most effective approach which will mitigate the risk of runtime attacks is a combination of secure storage with RASP-based solution.
Boosting Software-Backed Keystore with RASP
By integrating a software-backed keystore into the RASP (Runtime Application Self-Protection) solutions, we can address two critical aspects simultaneously:
Reliability: The enhanced RASP solution will offer a dependable keystore mechanism that does not rely on secure hardware. This ensures the integrity and protection of cryptographic keys, even on devices that lack hardware-backed security features.
Security: While the keystore itself remains vulnerable to threats like root access and runtime hooks, a closely integrated keystore within RASP can mitigate these risks. It can dynamically determine whether to store or retrieve data based on the current security state of the device.
Through the integration of a software-backed keystore, the enhanced RASP solution provides a comprehensive and reliable approach to data protection, overcoming limitations related to hardware availability and compromised devices.
That’s it!
We hope this summary helps you make an informed decision when considering a secure storage option for your React Native project. But also, we’d be happy to hear your opinion. Would you use a software-based secure storage SDK for React Native that utilizes a hardcoded obscured encryption key?
Please share your experiences, suggestions, and any other secure storage tips. Let’s discuss in the comments below! 👇
Happy coding.
written by Tomas Psota, developer at Talsec
Last updated
Was this helpful?