Safe to store access token inside AsyncStorage?

Question

I am looking at storing a user access token within a React Native application. Initially I have been looking at Redux but instead I noticed that RN has AsyncStorage, now I am assuming that this in the case of IOS is the equivalent of NSUserDefaults. I may be wrong.

Would this be a good way to store the access token? I don't really want to go through the process of using Redux if I can help it for simple data storage.

Mace Antoine · Accepted Answer · 2019-11-28T17:56:16.360

7

AsyncStorage may not be the good solution, depend how your server handle your request.

However you can use Redux, and Redux-persist, using the transform parameter you can encrypt your data,

https://github.com/rt2zz/redux-persist#transforms

key encryption : https://github.com/maxdeviant/redux-persist-transform-encrypt

You will still use AsyncStorage, but this time with encryption layer, to protect your data

edited Nov 28 '19 at 17:56

answered May 30 '17 at 16:50

Mace Antoine

173
6

Travis White · Answer 2 · 2017-05-30T15:39:09.710

3

Redux is about data flow control. Not necessarily long term storage. If you want to persist redux data you will end up using AsyncStorage to do so.

AsyncStorage is sandboxed on non-jailbroken iOS devices. However, the data is not encrypted in any way.

A more secure solution for both platforms seems to be https://github.com/pradeep1991singh/react-native-secure-key-store

edited May 30 '17 at 15:39

answered May 30 '17 at 15:24

Travis White

1,977
1
11
19

score 1 · Answer 3 · answered May 30 '17 at 15:29

AsyncStorage is not safe for sensitive information. Read more here

In you use case, It will be better to use Firebase services to get token. When app starts , you can do something like

var auth = firebase.auth().onAuthStateChanged(function(user) {
  if (user) {
    user.getIdToken().then(function(data) {
      console.log(data)
      // Save it redux, or component state(in that case you need to do this in every component where token will be used

     // Unsubscribe from listener 
     auth()
    });
  } else {
    // User is not authenticated
    // Unsubscribe from listener 
     auth()
  }
});

score 0 · Answer 4 · answered Apr 07 '20 at 06:24

react-native-keychain

It's secure. Also, if i'm not mistaken (don't quote me on any of the following) you might be able to use this to give users the ability to log in to the same app/webapp on that device; or other devices. I also think you can share login details with other apps you've developed assuming these apps have the same domain in the bundle identifier.

Safe to store access token inside AsyncStorage?

4 Answers4