13

I'm working on a mobile app with React Native and Expo, providing security solutions. Project owner wants to store in app sensitive authorization keys, used to communicate with REST server and access secure data. He demands that these keys are at least encrypted, and hard to read from the outside, as much as possible.

I know about these topics:

Save sensitive data in React Native

Is React Native's Async Storage secure?

and about KeyChain, but they don't cover encryption and expo issues.

So what is the best and most common solution for making this data as safe as possible in React Native Expo app?

totallytotallyamazing
  • 2,765
  • 1
  • 20
  • 26
Outside_Box
  • 447
  • 1
  • 4
  • 16
  • 2
    You are approaching the problem entirely wrong. Encrypting the keys client side makes no sense if you need to use them client side because to use them you need the decryption key... So if you have the decryption key AND ciphertext on the client then you might as well have the plaintext. – Luke Joshua Park Jun 20 '17 at 11:48
  • You can have the decryption key on the server and client could send the encrypted data to server and server could easily decrypt it. And in this process you do not need to store the decryption key on the client side due to obvious reasons you mentioned. – milkersarac Jun 20 '17 at 12:00
  • If you want to store sensitive data, you can look: https://stackoverflow.com/a/45550361/7618742 – Julien Kode Aug 09 '17 at 08:35
  • 1
    @LukePark : once again: 'hard to read from outside as much as possible' - not impossible – Outside_Box Aug 10 '17 at 09:21
  • You misunderstand what I meant. You're solving the problem in the wrong way. Introduce an intermediary service that you can use to authenticate users and then simply have the API keys on that server. You should never store API keys client side, encrypted or otherwise. – Luke Joshua Park Aug 10 '17 at 09:27

2 Answers2

11

Expo now has SecureStore, which stores encrypted data.

Details: https://docs.expo.io/versions/latest/sdk/securestore

Outside_Box
  • 447
  • 1
  • 4
  • 16
Peter Petrov
  • 435
  • 5
  • 7
  • 1
    SecureStore has a limitation of 2 Kilobyte. This is by far not enough to store our sensitive data, it might be even more than 100MB, so whats the solution in such a case? – Macilias May 18 '20 at 15:40
7

I am recently involved in a React Native project with security concerns like yours. Security is not an easy issue and I am not an expert, but this is what we did.

We used react-native-aes-encryption for encryption and hashing, react-native-rsa for generating public/private key pairs. In order to use these libraries properly, you better need to know basic cryptography concepts.

We used react-native-keychain to read/write data from keychain. Keychain is the way to go if you want to store some small sensitive data. It has been used in all Apple OS's in order to keep your passwords safe. That said this component is not working as seamless as expected on the Android side if you want to build your app for both platforms.

Other than that I have no idea about expo. I hope these libraries work for you as well.

milkersarac
  • 3,399
  • 3
  • 31
  • 31
  • 2
    I downvoted purely because this solution is insecure. Keeping API keys client side is simply something that you should not do ever under any circumstances, no matter how encrypted. The correct solution is to simply have an authenticated web service that handles requests on the behalf of clients. – Luke Joshua Park Jun 20 '17 at 11:46
  • 2
    I agree with you. In our app we did not store any API keys or in any app no auth tokens should be stored. I just briefly state what components you could use in order to add cryptography/security to your app. – milkersarac Jun 20 '17 at 11:54
  • 4
    So I can understand, where does it say he is keeping client-side API keys? The reference to rsa pub/priv keys is the only ref to keys and that’s different from an API key. – volvox Mar 22 '18 at 06:07