10

I'd like to persist a user's account credentials (i.e. username and password) in my React Native app. Should I use AsyncStorage?

In other words, I want to know if and how AsyncStorage protects its contents. The docs are silent on that.

(I'm using RN v0.28)

Rob
  • 14,746
  • 28
  • 47
  • 65
Eric
  • 16,003
  • 15
  • 87
  • 139

4 Answers4

8

Is AsyncStorage secure?

No AsyncStorage is not secure, the docs says:

AsyncStorage is a simple, unencrypted, asynchronous, persistent, key-value storage system that is global to the app. It should be used instead of LocalStorage.

To store secure information on the native side, I really recommand you to use react-native-keychain with react-native

For iOS it use Keychain Sharing Capabilities

For Android it use:

  • API level 16-22 use Facebook Conceal
  • API level 23+ use Android Keystore

This is a simple example: 

// Generic Password, service argument optional
Keychain
  .setGenericPassword(username, password)
  .then(function() {
    console.log('Credentials saved successfully!');
  });

// service argument optional
Keychain
  .getGenericPassword()
  .then(function(credentials) {
    console.log('Credentials successfully loaded for user ' + credentials.username);
  }).catch(function(error) {
    console.log('Keychain couldn\'t be accessed! Maybe no value set?', error);
  });
Julien Kode
  • 5,010
  • 21
  • 36
5

If you are using Expo sdk, you can use SecureStore for sensitive information.

Ohad Cohen
  • 5,756
  • 3
  • 39
  • 36
3

You should NEVER save the username and password in plain text in client applications. Please note, never save sensitive data in plain text. You should use a token to authenticate the user.

Regarding the security of the AsyncStorage read this answer. TL;DR the data is safe unless the attacker have access to the device or the device is rooted(android)/jailbroken(iOS). The data is not encrypted. So, with root or physical access to the device (and the device is not protected) it is possible to access to that data.

Community
  • 1
  • 1
Sandro Machado
  • 9,921
  • 4
  • 36
  • 57
  • is there a better way for doing things like persisting user login? just use a token? or is there another react native function that should be used for this use case? thanks. – jakeatwork Nov 10 '16 at 01:18
  • 1
    AFAIK, the best solution is always going for a revocable token. – Sandro Machado Nov 10 '16 at 01:43
2

NO (at least on iOS, RN v0.28)

AsyncStorage saves key-value pairs as a plaintext JSON file in the Documents directory.

If you run it in the iOS Simulator, you can find its contents on ~/Library/Developer/CoreSimulator/Devices

enter image description here

Should have been obvious from the source code for RCTAsyncLocalStorage

Eric
  • 16,003
  • 15
  • 87
  • 139
  • This seems to only be an issue for jailbroken iOS devices. http://stackoverflow.com/a/39112472/2669591 – DylanVann Oct 20 '16 at 14:46
  • that answer is absolutely incorrect. the above happens on non-jailbroken devices. – Eric Nov 01 '16 at 18:01
  • 1
    It is only an issue if the device is jailbroken or the attacker have access to the device and the device is not protected. Other application cannot access to that information without jailbreak. I updated the answer. – Sandro Machado Nov 02 '16 at 11:06
  • 1
    I agree. Someone with access to the unlocked device could read the stored username and password, it could also be compromised if the phone is jailbroken. A username and password should not be stored in AsyncStorage. I think it would be acceptable to store a revokable token though. When I posted that I wasn't really thinking of the use case of the asker. – DylanVann Nov 03 '16 at 05:42