Encrypting sensivite data in React Native and Expo

10
votes

I`m working on mobile app with React Native and Expo, providing security solutions. Project owner want to store in app sensitive authorization keys, used to contact with REST server and access to secured data. He demand to have this keys at least encrypted, and hard to read from outside as much as possible.

I know about topis:

Save sensitive data in React Native

Is React Native's Async Storage secure?

and about KeyChain, but they dont cover encyption and expo issues.

So with is the best and common solution for making this data save as possible in React Native Expo app?

2
encryptionreact-nativecryptographyexpo
You are approaching the problem entirely wrong. Encrypting the keys client side makes no sense if you need to use them client side because to use them you need the decryption key... So if you have the decryption key AND ciphertext on the client then you might as well have the plaintext. - Luke Joshua Park
You can have the decryption key on the server and client could send the encrypted data to server and server could easily decrypt it. And in this process you do not need to store the decryption key on the client side due to obvious reasons you mentioned. - milkersarac
If you want to store sensitive data, you can look: stackoverflow.com/a/45550361/7618742 - Julien Kode
@LukePark : once again: 'hard to read from outside as much as possible' - not impossible - Outside_Box
You misunderstand what I meant. You're solving the problem in the wrong way. Introduce an intermediary service that you can use to authenticate users and then simply have the API keys on that server. You should never store API keys client side, encrypted or otherwise. - Luke Joshua Park

2 Answers

9
votes

Expo now has SecureStore, which stores encrypted data.

Details: https://docs.expo.io/versions/latest/sdk/securestore

5
votes

I am recently involved in a React Native project with security concerns like yours. Security is not an easy issue and I am not an expert, but this is what we did.

We used react-native-aes-encryption for encryption and hashing, react-native-rsa for generating public/private key pairs. In order to use these libraries properly, you better need to know basic cryptography concepts.

We used react-native-keychain to read/write data from keychain. Keychain is the way to go if you want to store some small sensitive data. It has been used in all Apple OS's in order to keep your passwords safe. That said this component is not working as seamless as expected on the Android side if you want to build your app for both platforms.

Other than that I have no idea about expo. I hope these libraries work for you as well.