Login/Register
Is AsyncStorage secure?
Asked Answered
react-native
D

4

10

I'd like to persist a user's account credentials (i.e. username and password) in my React Native app. Should I use AsyncStorage?

In other words, I want to know if and how AsyncStorage protects its contents. The docs are silent on that.

(I'm using RN v0.28)

Denton answered 15/7, 2016 at 13:17 Comment(1)
To store sensitive information you can take a look at this https://mcmap.net/q/243729/-what-is-the-best-way-to-store-private-data-in-react-nativeEmilemile
E
8

Is AsyncStorage secure?

No AsyncStorage is not secure, the docs says:

AsyncStorage is a simple, unencrypted, asynchronous, persistent, key-value storage system that is global to the app. It should be used instead of LocalStorage.

To store secure information on the native side, I really recommand you to use react-native-keychain with react-native

For iOS it use Keychain Sharing Capabilities

For Android it use:

  • API level 16-22 use Facebook Conceal
  • API level 23+ use Android Keystore

This is a simple example: 

// Generic Password, service argument optional
Keychain
  .setGenericPassword(username, password)
  .then(function() {
    console.log('Credentials saved successfully!');
  });

// service argument optional
Keychain
  .getGenericPassword()
  .then(function(credentials) {
    console.log('Credentials successfully loaded for user ' + credentials.username);
  }).catch(function(error) {
    console.log('Keychain couldn\'t be accessed! Maybe no value set?', error);
  });
Emilemile answered 9/8, 2017 at 8:34 Comment(1)
So what should we use instead, to store sensitive data in encrypted form ?Eduino
D
5

If you are using Expo sdk, you can use SecureStore for sensitive information.

Diathermic answered 12/9, 2017 at 7:21 Comment(1)
But not for web... only iOS and Android. If anyone has suggestions for web it would be great to hear them.Decollate
D
3

NO (at least on iOS, RN v0.28)

AsyncStorage saves key-value pairs as a plaintext JSON file in the Documents directory.

If you run it in the iOS Simulator, you can find its contents on ~/Library/Developer/CoreSimulator/Devices

enter image description here

Should have been obvious from the source code for RCTAsyncLocalStorage

Denton answered 15/7, 2016 at 14:4 Comment(4)
This seems to only be an issue for jailbroken iOS devices. https://mcmap.net/q/238714/-save-sensitive-data-in-react-nativeTodo
that answer is absolutely incorrect. the above happens on non-jailbroken devices.Denton
It is only an issue if the device is jailbroken or the attacker have access to the device and the device is not protected. Other application cannot access to that information without jailbreak. I updated the answer.Grantinaid
I agree. Someone with access to the unlocked device could read the stored username and password, it could also be compromised if the phone is jailbroken. A username and password should not be stored in AsyncStorage. I think it would be acceptable to store a revokable token though. When I posted that I wasn't really thinking of the use case of the asker.Todo
G
3

You should NEVER save the username and password in plain text in client applications. Please note, never save sensitive data in plain text. You should use a token to authenticate the user.

Regarding the security of the AsyncStorage read this answer. TL;DR the data is safe unless the attacker have access to the device or the device is rooted(android)/jailbroken(iOS). The data is not encrypted. So, with root or physical access to the device (and the device is not protected) it is possible to access to that data.

Grantinaid answered 2/11, 2016 at 11:10 Comment(2)
is there a better way for doing things like persisting user login? just use a token? or is there another react native function that should be used for this use case? thanks.Riches
AFAIK, the best solution is always going for a revocable token.Grantinaid

© 2022 - 2024 — McMap. All rights reserved.