react-native-keys icon indicating copy to clipboard operation
react-native-keys copied to clipboard

Published 20 hours ago verified publisher icon numandev1

[SECURITY ISSUE] react-native-keys insecurely stores encryption cipher and Base64 chunks

Open efstathiosntonas opened this issue 5 months ago • 11 comments

more info here:

  • https://github.com/advisories/GHSA-fj44-h6xw-896g

efstathiosntonas avatar Jul 02 '25 20:07 efstathiosntonas

Any fix on this? @numandev1

dougg0k avatar Jul 07 '25 22:07 dougg0k

@numandev1 any update on this

ashishzopeCG avatar Jul 16 '25 04:07 ashishzopeCG

Only way to be certain that the fix work, is if someone check, obviously.

dougg0k avatar Jul 16 '25 12:07 dougg0k

@dougg0k I check at my side with changes mentioned in #105 its fixing one of the issue. Another issue reported as below. Flaw 1: Hardcoded Secrets The encryption cipher and Base64 chunks are stored as plaintext in the compiled native binary. Attackers can extract these secrets using basic static analysis tools such as strings or Hopper.

This still needs to fixed to narrow down vulnerabilities to 0

ashishzopeCG avatar Jul 16 '25 12:07 ashishzopeCG

Right.

https://gist.github.com/ch3tanbug/44aedff79dd5d2d6beadbffcd01e0de5#flaw-1-hardcoded-secrets

https://gist.github.com/ch3tanbug/44aedff79dd5d2d6beadbffcd01e0de5#flaw-2-predictable-cipher-generation

dougg0k avatar Jul 16 '25 12:07 dougg0k

If someone wants to add keychain support to the native code, it could possibly solve the issue or at least partially.

https://developer.android.com/privacy-and-security/keystore

https://developer.apple.com/documentation/security/storing-keys-in-the-keychain

https://medium.com/@wickramarathna.amal/how-to-handle-sensitive-information-in-mobile-apps-using-keystore-and-keychain-6c6580dbf90c

dougg0k avatar Jul 16 '25 14:07 dougg0k

@numandev1

Image

ashishzopeCG avatar Jul 23 '25 11:07 ashishzopeCG

Hi @ashishzopeCG , @dougg0k

I think we need a new JavaScript script to:

  • Generate password:

    • Slice it into 5–10 parts and store each part in C++.

    • Each part should be placed in a separate C++ function with a random function name.

    • Add more dummy/trash functions in C++ to make it harder to identify the real ones.

  • Generate cipher text:

    • Use the same strategy as password generation.

  • Main function: This should call the actual (true) functions to reconstruct and return the key and password.

ngocle2497 avatar Jul 24 '25 13:07 ngocle2497

@dougg0k this should be fixed on PR

ngocle2497 avatar Jul 27 '25 14:07 ngocle2497

Hm, a new release is needed then and confirmation from someone or whoever reported the vulnerability.

@ngocle2497 @numandev1

dougg0k avatar Jul 28 '25 02:07 dougg0k

released 0.7.12

ngocle2497 avatar Aug 01 '25 00:08 ngocle2497