Securing Confidential Information in React Native

While concatenating the entire string is necessary for sending it to the server, it should be done within a short window of time. This is because the string will be cleared by the garbage collector once the reference to it (held in the variable) is out of scope and inaccessible.
To manage memory on MDN, consider Solution 2 which involves changing the text type of TextInput to password for passwords. It is also advisable to avoid storing username and password in async-storage. Instead, store all data that needs to be saved and fetch it from the database when the user connects to the network to sync with the online database.


Solution 1:

Upon examining the React Native code, I discovered the solution.


Android

The implementation of the

React Native

and

AsyncStorage

modules relies on

SQLiteOpenHelper

. All the data classes are managed in a package located at https://github.com/facebook/react-native/tree/master/ReactAndroid/src/main/java/com/facebook/react/modules/storage.

The instructions for creating the database can be found in the following class on GitHub: https://github.com/facebook/react-native/blob/master/ReactAndroid/src/main/java/com/facebook/react/modules/storage/ReactDatabaseSupplier.java

According to the Android documentation, the application’s databases are stored in a secure private disk space that is linked to the application.

Android keeps your database in a private disk space that is linked to your application, just like the files you save in your device’s internal storage. This area is not accessible to other applications by default, ensuring that your data remains secure.

Source


iOS

The serialized dictionary files containing

AsyncStorage

values are stored within the designated

NSDocumentDirectory

folder of iOS applications. Due to the sandboxing feature, each application’s files are protected and inaccessible by other applications.

The source code for the

AsyncStorage

functionality on iOS can be accessed at this URL: https://github.com/facebook/react-native/blob/master/React/Modules/RCTAsyncLocalStorage.m

The values saved by

AsyncStorage

are stored in files that are located under

NSDocumentDirectory

within the application’s sandbox environment.

On iOS, apps have limited interaction with the file system and are confined to directories within their sandbox. Upon installation, an app is allotted various containers, each with a designated purpose. The bundle container contains the app’s bundle, while the data container holds both app and user data. The data container is divided into several directories that an app can utilize to manage its data. At runtime, an app can also request access to other containers, such as the iCloud container.

Source


Conclusion

Using

AsyncStorage

to store user tokens is secure, as they are saved in a protected environment.

It should be noted that the aforementioned conditions apply solely to Android devices that have not been rooted and to iOS devices that have not undergone jailbreaking. Additionally, in the event that an attacker has physical access to an unprotected device, they can connect it to a Mac laptop and extract the contents of the documents directory, gaining access to all saved data within.


Solution 2:


The

AsyncStorage

function stores key-value pairs in a JSON file in the Documents directory without encrypting its contents.

On iOS, there is a potential security vulnerability where a person with device access can easily obtain and extract any saved data through the use of

AsyncStorage

. This issue is related to the contents of the sandbox.

Previously, the documentation for AsyncStorage.js did not clearly mention this, but now it has been addressed and updated. The details regarding the update can be found at https://github.com/facebook/react-native/pull/8809.

Additionally, refer to this Stack Overflow post with the URL: https://stackoverflow.com/a/38398114/1072846.


Solution 3:


In case somebody desires to have their data encrypted, they can check out this resource at https://github.com/oblador/react-native-keychain.

It internally utilizes Facebook conceal.

Frequently Asked Questions