Security News
GitHub Removes Malicious Pull Requests Targeting Open Source Repositories
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
react-native-encrypted-storage
Advanced tools
A React Native wrapper over SharedPreferences and Keychain to provide a secure alternative to Async Storage
React Native wrapper around SharedPreferences and Keychain to provide a secure alternative to Async Storage.
Async Storage is great but it lacks security. This is less than ideal when storing sensitive data such as access tokens, payment information and so on. This module aims to solve this problem by providing a wrapper around Android's EncryptedSharedPreferences
and iOS' Keychain
, complete with support for TypeScript.
yarn
$ yarn add react-native-encrypted-storage
npm
$ npm install react-native-encrypted-storage
Since version 0.60, React Native supports auto linking. This means no additional step is needed on your end.
$ react-native link react-native-encrypted-storage
Special note for iOS using cocoapods
, run:
$ npx pod-install
This module exposes four (4) native functions to store, retrieve, remove and clear values. They can be used like so:
import EncryptedStorage from 'react-native-encrypted-storage';
async function storeUserSession() {
try {
await EncryptedStorage.setItem(
"user_session",
JSON.stringify({
age : 21,
token : "ACCESS_TOKEN",
username : "emeraldsanto",
languages : ["fr", "en", "de"]
})
);
// Congrats! You've just stored your first value!
} catch (error) {
// There was an error on the native side
}
}
async function retrieveUserSession() {
try {
const session = await EncryptedStorage.getItem("user_session");
if (session !== undefined) {
// Congrats! You've just retrieved your first value!
}
} catch (error) {
// There was an error on the native side
}
}
async function removeUserSession() {
try {
await EncryptedStorage.removeItem("user_session");
// Congrats! You've just removed your first value!
} catch (error) {
// There was an error on the native side
}
}
async function clearStorage() {
try {
await EncryptedStorage.clear();
// Congrats! You've just cleared the device storage!
} catch (error) {
// There was an error on the native side
}
}
Take the removeItem
example, an error can occur when trying to remove a value which does not exist, or for any other reason. This module forwards the native iOS Security framework error codes to help with debugging.
async function removeUserSession() {
try {
await EncryptedStorage.removeItem("user_session");
} catch (error) {
// There was an error on the native side
// You can find out more about this error by using the `error.code` property
console.log(error.code); // ex: -25300 (errSecItemNotFound)
}
}
Keychain
persistenceYou'll notice that the iOS Keychain
is not cleared when your app is uninstalled, this is the expected behaviour. However, if you do want to achieve a different behaviour, you can use the below snippet to clear the Keychain
on the first launch of your app.
// AppDelegate.m
/**
Deletes all Keychain items accessible by this app if this is the first time the user launches the app
*/
static void ClearKeychainIfNecessary() {
// Checks wether or not this is the first time the app is run
if ([[NSUserDefaults standardUserDefaults] boolForKey:@"HAS_RUN_BEFORE"] == NO) {
// Set the appropriate value so we don't clear next time the app is launched
[[NSUserDefaults standardUserDefaults] setBool:YES forKey:@"HAS_RUN_BEFORE"];
NSArray *secItemClasses = @[
(__bridge id)kSecClassGenericPassword,
(__bridge id)kSecClassInternetPassword,
(__bridge id)kSecClassCertificate,
(__bridge id)kSecClassKey,
(__bridge id)kSecClassIdentity
];
// Maps through all Keychain classes and deletes all items that match
for (id secItemClass in secItemClasses) {
NSDictionary *spec = @{(__bridge id)kSecClass: secItemClass};
SecItemDelete((__bridge CFDictionaryRef)spec);
}
}
}
@implementation AppDelegate
- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions
{
// Add this line to call the above function
ClearKeychainIfNecessary();
RCTBridge *bridge = [[RCTBridge alloc] initWithDelegate:self launchOptions:launchOptions];
RCTRootView *rootView = [[RCTRootView alloc] initWithBridge:bridge moduleName:@"APP_NAME" initialProperties:nil];
rootView.backgroundColor = [UIColor colorWithRed:1.0f green:1.0f blue:1.0f alpha:1];
self.window = [[UIWindow alloc] initWithFrame:[UIScreen mainScreen].bounds];
UIViewController *rootViewController = [UIViewController new];
rootViewController.view = rootView;
self.window.rootViewController = rootViewController;
[self.window makeKeyAndVisible];
return YES;
}
// ...
@end
There seems to be some confusion around the maximum size of items that can be stored, especially on iOS. According to this StackOverflow question, the actual Keychain limit is much lower than what it should theoretically be. This does not affect Android as the EncryptedSharedPreferences
API relies on the phone's storage, via XML files.
MIT
FAQs
A React Native wrapper over SharedPreferences and Keychain to provide a secure alternative to Async Storage
The npm package react-native-encrypted-storage receives a total of 23,217 weekly downloads. As such, react-native-encrypted-storage popularity was classified as popular.
We found that react-native-encrypted-storage demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.