12

I'm working on a mobile app with React Native and Expo, providing security solutions. Project owner wants to store in app sensitive authorization keys, used to communicate with REST server and access secure data. He demands that these keys are at least encrypted, and hard to read from the outside, as much as possible.

I know about these topics:

Save sensitive data in React Native

Is React Native's Async Storage secure?

and about KeyChain, but they don't cover encryption and expo issues.

So what is the best and most common solution for making this data as safe as possible in React Native Expo app?

Improve this question
5
  • 2
    You are approaching the problem entirely wrong. Encrypting the keys client side makes no sense if you need to use them client side because to use them you need the decryption key... So if you have the decryption key AND ciphertext on the client then you might as well have the plaintext. Commented Jun 20, 2017 at 11:48
  • You can have the decryption key on the server and client could send the encrypted data to server and server could easily decrypt it. And in this process you do not need to store the decryption key on the client side due to obvious reasons you mentioned. Commented Jun 20, 2017 at 12:00
  • If you want to store sensitive data, you can look: stackoverflow.com/a/45550361/7618742 Commented Aug 9, 2017 at 8:35
  • 1
    @LukePark : once again: 'hard to read from outside as much as possible' - not impossible Commented Aug 10, 2017 at 9:21
  • You misunderstand what I meant. You're solving the problem in the wrong way. Introduce an intermediary service that you can use to authenticate users and then simply have the API keys on that server. You should never store API keys client side, encrypted or otherwise. Commented Aug 10, 2017 at 9:27

2 Answers 2

Reset to default
11

Expo now has SecureStore, which stores encrypted data.

Details: https://docs.expo.io/versions/latest/sdk/securestore

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

SecureStore has a limitation of 2 Kilobyte. This is by far not enough to store our sensitive data, it might be even more than 100MB, so whats the solution in such a case?
7

I am recently involved in a React Native project with security concerns like yours. Security is not an easy issue and I am not an expert, but this is what we did.

We used react-native-aes-encryption for encryption and hashing, react-native-rsa for generating public/private key pairs. In order to use these libraries properly, you better need to know basic cryptography concepts.

We used react-native-keychain to read/write data from keychain. Keychain is the way to go if you want to store some small sensitive data. It has been used in all Apple OS's in order to keep your passwords safe. That said this component is not working as seamless as expected on the Android side if you want to build your app for both platforms.

Other than that I have no idea about expo. I hope these libraries work for you as well.

Improve this answer

3 Comments

I downvoted purely because this solution is insecure. Keeping API keys client side is simply something that you should not do ever under any circumstances, no matter how encrypted. The correct solution is to simply have an authenticated web service that handles requests on the behalf of clients.
I agree with you. In our app we did not store any API keys or in any app no auth tokens should be stored. I just briefly state what components you could use in order to add cryptography/security to your app.
So I can understand, where does it say he is keeping client-side API keys? The reference to rsa pub/priv keys is the only ref to keys and that’s different from an API key.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.