5

I saw a couple of questions asking about "How to store sensitive data en React Native" (like this and this), but, all of those cases were talking about taking some sensitive data dynamically (from a server, for example), and then storage it using AsyncStorage. But, what about if you need to WRITE a sensitive TOKEN/PASSWORD in the CODE?

For example, I want to implement this library: https://github.com/fullstackreact/react-native-oauth As you can see in the first example, I have to write in the code the secret token.

Is there a file in all the react-native project directory where I can put my tokens and then get it in the application? How much secure is to manipulate those secure tokens in the application?

Thanks

Julien Kode
  • 5,010
  • 21
  • 36
Broda Noel
  • 1,760
  • 1
  • 19
  • 38
  • Asyncstorage is a permament storage so i wouldn't save important info there even if there is a control which deletes them after leaving app. So you can store those infos using mobx or redux that store values temporarily. – Burak Karasoy Nov 25 '16 at 09:41
  • @BurakKarasoy But the information is by no means secured in any special way by using redux/mobx. Also, the information would not persist, and you still have the challenge of setting those values. – martinarroyo Nov 25 '16 at 21:26
  • Have a look at this question: http://stackoverflow.com/questions/1934187/oauth-secrets-in-mobile-apps – martinarroyo Nov 25 '16 at 21:27
  • My point is that if you keep data using redux/mobx this data is stored in temporary memory and when you close app this data is gone. But if you store this data in async it is kept in local files. You have to remove this data yourself closing app. First way seems more secure. I wouldn't write pw or critic data in permament storage. – Burak Karasoy Nov 26 '16 at 06:42
  • If you want to store sensitive data you can take a look at this: https://stackoverflow.com/a/45550361/7618742 – Julien Kode Aug 09 '17 at 08:12
  • I just want to point out that some comments here suggest that closing the app will remove the redux store data. That's not entirely true. Redux store persists even if the app is in the background. This means, that when you THINK you've closed the app, actually it's in a background state. Please bare that in mind. – Sandy Garrido Dec 08 '21 at 12:23

3 Answers3

6

How to store sensitive data in React Native code?

The libraries

Now multiples libraries allow you to store sensitive in React Native code:

Note: On the native side, theses libraries can use:

Example

Here is an example of usage with react-native-keychain to store sensitive data with react-native

For iOS it use Keychain Sharing Capabilities

For Android it use:

  • API level 16-22 use Facebook Conceal
  • API level 23+ use Android Keystore

You can use it like that:

// Generic Password, service argument optional
Keychain
  .setGenericPassword(username, password)
  .then(function() {
    console.log('Credentials saved successfully!');
  });

// service argument optional
Keychain
  .getGenericPassword()
  .then(function(credentials) {
    console.log('Credentials successfully loaded for user ' + credentials.username);
  }).catch(function(error) {
    console.log('Keychain couldn\'t be accessed! Maybe no value set?', error);
  });
Julien Kode
  • 5,010
  • 21
  • 36
1

Generally, AsyncStorage is used to store data in react-native, but it is not secure at all. expo-secure-store is maintained and developed by the expo-team and works same as AsyncStorage.

It uses encrypted keychain services which hashes the data when stored and retrieved, making it super secure.

Ayush Kumar
  • 494
  • 1
  • 6
  • 21
0

Also, encrypted databases such as Realm could be used, and encryption keys would be stored in Keychain.

Realm is also probably not supported by Expo (so you either need to use bare React Native workflow or eject).

Stefan Majiros
  • 444
  • 7
  • 11