Comments (17)
Pull request created: #67
from react-native-keychain.
So I wonder why this library doesn't use android Keystore system to make android store safer.
There must be a good reason considering the nice quality of @oblador libraries.
from react-native-keychain.
@i8wu @pesehr SharedPreferences aren't 100% secure - they are stored in a file and if you root the phone and manage to mount its file system you could read the preferences. For that reason, conceal is used. Conceal itself handles the encryption and decryption of what is stored. edit: on rooted devices, the data won't be 100% secret even with conceal since the key is present locally
from react-native-keychain.
from react-native-keychain.
This is now released as stable in 2.0.0, thus closing this issue.
from react-native-keychain.
@i8wu SharedPreferences is secure for saving your data but not recommended for saving key pairs.
Android Keystore system is better, in this system private keys are saved and encrypted and apps can't access them directly. It's an essential point for some apps like purchase apps.
from react-native-keychain.
Do you mean to ask how secure the things being stored with this module are? I'm also a bit curious so I looked at the code a bit...
For iOS, it seems to be using the native keychain to store the password
For Android, it's using Facebook's conceal along with Android's SharedPreferences
I can't totally vouch for the security of this module...but it seems to be acceptable.
from react-native-keychain.
@i8wu
SharedPreferences is not secure.
I think it's more secure : https://github.com/pesehr/react-native-secure-KeyStore
from react-native-keychain.
@pesehr Why isn't SharedPreferences secure? An app's SharedPreferences is usually only accessible by the app itself.
from react-native-keychain.
But this module does encrypt the data using https://github.com/facebook/conceal , In what way is Keystore better than SharedPreferences?
Other apps also can't access another's sharedprefs unless specified http://stackoverflow.com/a/6030399/6707153
from react-native-keychain.
does it enforce the
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
Attribute on iOS?
That attribute enforces:
- Your device must be unlocked for the secret to be accessible.
- Your device must have a device passcode set. If you turn off your device passcode, the secret is deleted.
- The secret cannot be restored to a different device.
- The secret is not included in iCloud backups.
edit: okay after reviewing the code again it looks like this can be set. Maybe it should be included in the readme.
from react-native-keychain.
I am also quite concerned with the security of the Android implementation. The SharedPrefsBackedKeyChain
used for encrypting the content, stores the 256-bit encryption key in the SharedPreferences on the device. This means that the encryption key and encrypted content is stored in the same place, which effectively makes the encryption pointless.
from react-native-keychain.
@pcoltau that is a fair point... but is there a safe way of storing secrets on rooted devices?
from react-native-keychain.
@vonovak Well, a rooted device is a worst case scenario, which I don't think you can do much about. However, there have been many exploits, that did not require a rooted device, that would give an attacker access to parts of an app's data.
Using the KeyStore will, on newer devices, ensure that all encryption keys are stored on the hardware, which greatly enhances the protection: https://source.android.com/security/keystore/
I am currently working on a KeyStore implementation of the Android implementation of react-native-keychain - I'll make a pull request when it is ready.
from react-native-keychain.
Released an RC with this functionality, would be grateful for anybody testing it thoroughly before we can release as stable. Test it with yarn add [email protected]
from react-native-keychain.
I'm wondering if this 2.0.0-rc is tested (thoroughly) by anyone yet the past two months? I'm investigating the options to use it for securing private key storage on Android devices with API levels < 23.
from react-native-keychain.
I've been using 2.0.0-rc for the past two months on prod with API level 23, and it hasn't had any problems so far. Then again, I only use setGenericPassword
and getGenericPassword
methods so probably not the "thorough testing" you might be looking for.
from react-native-keychain.
Related Issues (20)
- Encrypt a value without storing it HOT 1
- Inconsistent Error Messages Between iOS and Android for Cancelled Biometry Operations HOT 2
- [Android] getSupportedBiometryType() always returns value even if the fingerprints are disabled. HOT 1
- iOS not showing the face id symbol when logging in HOT 1
- [Android] support for non biometric authentication HOT 2
- android linux crash HOT 1
- How to store my password keychain in Android keystore using react-native-keychain
- Encrypt and decrypt failing on latest Samsung OS HOT 11
- Warning when using SetGenericPassword with service HOT 2
- No podspec found for `RNKeychain`
- Fingerprint Bypass using Frida and Objection techniques HOT 1
- Using it together with native iOS project HOT 2
- Android crash from adding react-native-keychain package HOT 1
- Unrecognized platform name visionOS error HOT 8
- iOS & android keychain items are not erased when the app is uninstalled HOT 1
- Pods install failed with Invalid `RNKeychain.podspec` file: undefined method `visionos' for #<Pod::Specification name="RNKeychain" HOT 5
- App crash on launch - Only happens on Huawei devices
- Replace `SharedPreferences` with `DataStore` Preferences on Android HOT 2
- Cold start on android took 5-10 seconds longer than before the library update HOT 10
- Example project not building iOS HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from react-native-keychain.