I'm working on a mobile app with React Native and Expo, providing security solutions. Project owner wants to store in app sensitive authorization keys, used to communicate with REST server and access secure data. He demands that these keys are at least encrypted, and hard to read from the outside, as much as possible.
I know about these topics:
Save sensitive data in React Native
Is React Native's Async Storage secure?
and about KeyChain, but they don't cover encryption and expo issues.
So what is the best and most common solution for making this data as safe as possible in React Native Expo app?
Expo now has SecureStore, which stores encrypted data.
Details: https://docs.expo.io/versions/latest/sdk/securestore
I am recently involved in a React Native project with security concerns like yours. Security is not an easy issue and I am not an expert, but this is what we did.
We used react-native-aes-encryption for encryption and hashing, react-native-rsa for generating public/private key pairs. In order to use these libraries properly, you better need to know basic cryptography concepts.
We used react-native-keychain to read/write data from keychain. Keychain is the way to go if you want to store some small sensitive data. It has been used in all Apple OS's in order to keep your passwords safe. That said this component is not working as seamless as expected on the Android side if you want to build your app for both platforms.
Other than that I have no idea about expo. I hope these libraries work for you as well.
Related
We use AES encryption with static key and static vector.
Encryption and decryption of data made on Windows, MacOS and Android.
We know it is not secure to store the key in the app and we do not care about security, we just need to be able to support legacy data format, we need encryption not for security, but for back compatibility. We know we do not provide any data security and our customers know it too. Is where any way to force Play Store to ignore the error and publish our app without moving encryption and decryption functions to NDK?
I am building a small mobile app with react native.
My initial thoughts were, that it is safer to communicate with the database over a running nodejs backend server in order to avoid security risks due to direct connection between mobile and DB.
Now i want the clients to receive realtime updates from the DB and the only way that i can think of, is to connect the mobile app to the firebase realtime database and subscribe to changes without having any backend server between it.
Is this a good way to go or are there alternatives?
Whether something is a good way is typically opinionated. But it is definitely possible to build a secure app that directly accesses the database, because you can control access to the data with server-side security rules.
For more on this, I recommend checking out my answer to Is it safe to expose Firebase apiKey to the public?
It might also be useful to check this video where we live-code a secure voting app.
I am using firebase for storing data through android application. I want to architecture diagram for that application, so can I call the firebase as a server? I am trying to use client server architecture, so for the server, I write firebase as server. Is this correct?
Depending on how you use Firebase Realtime Database in your app, I'd indeed either visualize it as a server or as a database.
I find the latter especially useful if you still want to explain the nature of the app talking directly to a cloud-hosted database. Visualizing it as a server makes it easier to brush over that, so is a good option in cases where that is needed.
I am about to undertake the development of a React Native app and am thoroughly convinced of the benefits of managing the app's state using Redux, however I'd like to make the app's data available whilst offline by using Realm for persistent storage. What I'm wondering is how Redux will play with Realm?
The app I'm developing will pull a large amount of JSON data via a RESTful API and then I'd like to persist this data to local storage - Realm seems to be an excellent option for this. What I'm unsure of however is how the Realm database will exist within the Redux store? Will it have to exist external to the store? Is using Realm within a Redux based app somehow a contradiction?
I've had a good search for articles describing the use of Realm, or other storage options (Asyncstorage or SQLite) for large datasets with Redux and could find little information.
The redux store is good when you have only react components dealing with the data. The store is a good way to maintain your application's state. For example, you do not need Realm to store the current login status or flags indicating whether the user has skipped login. The redux store wins the game here.
On the other hand, Realm is the best when you have to deal with complex queries or a large amount of data to be stored. The advantage of having Realm is that the data can be accessed within your react components as well as non-react components/classes easily. Realm gives you the advantage to monitor your data with the Realm Browser and build relationships between your models. Realm also wins the race if you have to do any offline sync.
Will it have to exist external to the store - Yes.
Is using Realm within a Redux based app somehow a contradiction - It depends upon what you are using the storage for.
I really enjoy using Firebase, and I would like to use it in a new app, but the app would have the user upload sensitive information.
I know Firebase uses https, but looking around, it seems Firebase does not yet make encryption at rest available.
Is there a way around this to use Firebase and still make an administrator unable to read the data from the Firebase Forge, for instance?
Thank you.
If you encrypt all data that you store in Firebase with a key that is only known to the client, it will not be readable by anyone but that client.
Update (20160528): As of a few months ago all data for the Firebase Database is also encrypted at rest.