react-native-azure-auth icon indicating copy to clipboard operation
react-native-azure-auth copied to clipboard
verified publisher icon vmurin

Question [Security]: using AsyncStorage to store token

Open oferRounds opened this issue 6 years ago • 7 comments

Hi @vmurin

I see that the library is using AsyncStorage to store to the token, and was wondering, as AsyncStorage does not store data in a secure way, is this a problem?

Was reading this lately: richardkotze.com/coding/send-jwt-client-apollo-graphql#securely-storing-jwt-tokens

oferRounds avatar Dec 02 '19 12:12 oferRounds

One good option IMO is to use: https://github.com/oblador/react-native-keychain

oferRounds avatar Dec 02 '19 12:12 oferRounds

Hi @oferRounds

  • on one side you have referenced article about much more insecure localStorage not AsyncStorage ;)
  • on other side you are absolutely right - AsyncStorage is unencrypted storage and if your device is stolen and has unencrypted disk some one can access the file system and read the values in store. But AsyncStorage is secure enough if you did not loos your device. It means - it can not be accessed from another app.
  • I will consider to switch to more secure storage

vmurin avatar Dec 02 '19 12:12 vmurin

Yes, you are right - I referenced it as related to storing token on a client in general, in an unencrypted way I wasn’t aware that localStorage is a lot worse (Coming from the native mobile in my roots, not from the web) Anyhow, thanks! Sounds good

oferRounds avatar Dec 02 '19 14:12 oferRounds

localStorage is a part of web browser API, it is not bound to any mobile app and there are many known attack ways to access data in localStorage, that does not meant to be accessible by anyone except owner.

In contrary AsyncStorage is a React Native feature backed under the hood by different native storage types on iOS and Android. It is not accessible from other apps, it is bound to your app, i.e. it will be cleared (the related part of it) if the app has being uninstalled. So in a some way it is secure ;)

Anyway it is recommended to use something like react-native-keychain for a sensible data like tokens as you wrote.

Thanks for pointing this out!

vmurin avatar Dec 02 '19 20:12 vmurin

Got you @vmurin, good to learn this info about the localStorage

And thanks for always welcoming the feedback!

oferRounds avatar Dec 02 '19 22:12 oferRounds

I read the discussion, and I think I will switch from AsyncStorage to Keychain, but I am concerned about performance. Is Keychain's performance similar to Async Storage?

josethz00 avatar Mar 22 '23 18:03 josethz00

I did't googled for performance comparison between AsyncStorage and Keychain. But I suppose the performance in this case is not an issue. All network response times during auth process are much bigger.

vmurin avatar Mar 22 '23 19:03 vmurin