react-native-keys icon indicating copy to clipboard operation
react-native-keys copied to clipboard

Published 20 hours ago β€’ verified publisher icon numandev1

Critical Vulnerability in react-native-keys Exposes API Keys

Open ch3tanbug opened this issue 10 months ago β€’ 11 comments

Description: A critical security vulnerability has been identified in the react-native-keys library (v1.x), which claims to securely store API keys by encrypting and embedding them in native code. However, due to weak cryptographic practices, an attacker can easily extract and decrypt API keys.

πŸ”΄ Impact Attackers can extract and decrypt API keys stored via react-native-keys. API keys used for Firebase, AWS, Stripe, and other services can be compromised, leading to unauthorized access, financial fraud, and data breaches. The security model of the library is ineffective, providing a false sense of protection.

Please contact me for full technical details - [email protected]

ch3tanbug avatar Jan 31 '25 15:01 ch3tanbug

πŸ‘‹ @ch3tanbug Thanks for opening your issue here! If you find this package useful hit the star🌟!

github-actions[bot] avatar Jan 31 '25 15:01 github-actions[bot]

.

aminhdev avatar Feb 19 '25 07:02 aminhdev

has this issue been fixed?

RayKay91 avatar Mar 10 '25 13:03 RayKay91

Just found the library, last commit was 5 months ago. Anything on this? @numandev1

There seem to be other important issues open without real response, just github bot response or some other user also needing help.

dougg0k avatar Jun 09 '25 17:06 dougg0k

Seems to be this one https://github.com/numandev1/react-native-keys/issues/104

dougg0k avatar Jul 07 '25 23:07 dougg0k

@dougg0k is your changes fixing all reported vulnerabilities in this package?

ashishzopeCG avatar Jul 14 '25 05:07 ashishzopeCG

@ashishzopeCG no, there’s NO way to be secure on the client. Decrypting keys are still in the source code and someone can find them. Never trust the client.

There are techniques to be secure on the client but they are very complex.

efstathiosntonas avatar Jul 14 '25 05:07 efstathiosntonas

@efstathiosntonas any alternative approach for this

ashishzopeCG avatar Jul 14 '25 05:07 ashishzopeCG

you can read this blog article from Oscar: https://ospfranco.com/react-native-security-guide/

efstathiosntonas avatar Jul 14 '25 07:07 efstathiosntonas

@ashishzopeCG you should read what I wrote in the PR.

It is as @efstathiosntonas said, this package like any other are just to make it more difficult.

A few weeks ago I wrote a compilation of things that one can do to help with security when building apps, many of that can help make it more difficult to do certain things, so they can complement each other. But these are still just open source solutions, in some contexts the most complete ones would be paid solutions.

https://gist.github.com/dougg0k/60e02f2fd99df129a7e329c92309fd5e

dougg0k avatar Jul 14 '25 13:07 dougg0k

@dougg0k this should be fixed on PR

ngocle2497 avatar Jul 27 '25 14:07 ngocle2497