Securing Confidential Information in React Native

While concatenating the entire string is necessary for sending it to the server, it should be done within a short window of time. This is because the string will be cleared by the garbage collector once the reference to it (held in the variable) is out of scope and inaccessible.
To manage memory on MDN, consider Solution 2 which involves changing the text type of TextInput to password for passwords. It is also advisable to avoid storing username and password in async-storage. Instead, store all data that needs to be saved and fetch it from the database when the user connects to the network to sync with the online database.

Solution 1:

Upon examining the React Native code, I discovered the solution.


The implementation of the

React Native



modules relies on


. All the data classes are managed in a package located at

The instructions for creating the database can be found in the following class on GitHub:

According to the Android documentation, the application’s databases are stored in a secure private disk space that is linked to the application.

Android keeps your database in a private disk space that is linked to your application, just like the files you save in your device’s internal storage. This area is not accessible to other applications by default, ensuring that your data remains secure.



The serialized dictionary files containing


values are stored within the designated


folder of iOS applications. Due to the sandboxing feature, each application’s files are protected and inaccessible by other applications.

The source code for the


functionality on iOS can be accessed at this URL:

The values saved by


are stored in files that are located under


within the application’s sandbox environment.

On iOS, apps have limited interaction with the file system and are confined to directories within their sandbox. Upon installation, an app is allotted various containers, each with a designated purpose. The bundle container contains the app’s bundle, while the data container holds both app and user data. The data container is divided into several directories that an app can utilize to manage its data. At runtime, an app can also request access to other containers, such as the iCloud container.





to store user tokens is secure, as they are saved in a protected environment.

It should be noted that the aforementioned conditions apply solely to Android devices that have not been rooted and to iOS devices that have not undergone jailbreaking. Additionally, in the event that an attacker has physical access to an unprotected device, they can connect it to a Mac laptop and extract the contents of the documents directory, gaining access to all saved data within.

Solution 2:



function stores key-value pairs in a JSON file in the Documents directory without encrypting its contents.

On iOS, there is a potential security vulnerability where a person with device access can easily obtain and extract any saved data through the use of


. This issue is related to the contents of the sandbox.

Previously, the documentation for AsyncStorage.js did not clearly mention this, but now it has been addressed and updated. The details regarding the update can be found at

Additionally, refer to this Stack Overflow post with the URL:

Solution 3:

In case somebody desires to have their data encrypted, they can check out this resource at

It internally utilizes Facebook conceal.

Frequently Asked Questions