Securing React Native Application

KPITENG

Key Points -

  • Screenshot Prevention
  • Rooted/ Jailbroken Device Detection
  • SSL Pinning
  • Storage of Sensitive Data — API EndPoint / FB / Google / Firebase Keys
  • Local Storage
  • Deep Linking
  • Android Specific Security
  • iOS Specific Security
  • Authentication Methods
  • Data Encryption

1. Screenshot Prevention

iOS Integration -

2. Rooted/ Jailbroken Device Detection

iOS Integration -

  • Check if Cydia is installed
  • Check if the app can edit system files
  • Check if the system contains suspicious files
  • Check if other suspicious apps (FakeCarrier, Icy, etc.) is installed
  • Check if Cydia is installed with alternative names (using URIScheme)
  • checkRootManagementApps
  • checkPotentiallyDangerousApps
  • checkRootCloakingApps
  • checkTestKeys
  • checkForDangerousProps
  • checkForBusyBoxBinary
  • checkForSuBinary
  • checkSuExists
  • checkForRWSystem

3. SSL Pinning

SLL Pinning can be done using 3 different ways

  • Public Key Pinning
  • Certificate Pinning
  • Subject Public Key Info (SPKI) Pinning

Certificate Pinning With react-native-ssl-pinning -

iOS — drag .cer to Xcode project, mark your target and “Copy items if needed”

Public Key Pinning With react-native-ssl-pinning -

iOS — drag .cer to Xcode project, mark your target and “Copy items if needed”. No Extra steps needed for public key pinning. AFNetworking will extract public key directly from certificate.

Certificate Pinning With react-native-pinch -

4. Storage of Sensitive Data — API EndPoint / FB / Google / Firebase Keys

Never store your API EndPoint, AccessKey, Firebase, Google/FB Social Key directly into Code. Your bundle can be decoded into plaintext and all information can be extracted.

5. Local Storage

Developer often needs to store data locally, sometime developer prefer asyncstorage to store accesskey/ access-token/ user token. But AsyncStorage is un-encrypted storage, so information can be extract from AsyncStorage.

6. Deep Linking

Deep linking is a way to open application from other sources. Deep Link contains textual data along with Link. Like yourappname://

Security issues while dealing with deep linking -

There is no centralised method of registering URL schemes. As developer, you can use any URL scheme you choose by configuring it in Xcode for iOS or adding an intent on Android.

Security solutions to overcome deep linking security issue -

Apple introduced Universal Links in iOS 9 as a solution to the lack of graceful fallback functionality in custom URI scheme deep links. Universal Links are standard web links that point to both a web page and a piece of content inside an app.

7. Android Specific Security

Let’s see how to protect our APK or app bundle from reverse engineering attacks.

8. iOS Specific Security

Let’s see how we can restrict the insecure domains usage in iOS. It will save us from transport layer attacks. You can restrict insecure domains by configuring some properties within your Info.plist file.

9. Authentication Methods

Nowadays OAuth has become more popular for Authentication between one application interacting with another application. Consider a case where your application communicates with an API to send/retrieve data from the server. How do servers know the coming request is authenticated? OAuth 2.0 makes the authentication process simple for you. Instead of sharing passwords OAuth allows authentication using Token. It’s an approach to use JWT Token for API Authentication.

10. Data Encryption

Crypto JS is popular Javascript library for crypto standards. To store, send data to server it’s approched to Encrypt data using CrytpJS. So, it’s is not redable by enable directly.

What Next?

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store