react-native-keychain
react-native-keychain copied to clipboard
oblador
credentials wiping on app uninstall is not consistent between platforms
Seems like my credentials are being wiped out on Android upon app uninstall on Android 6, 7 & 8. Am I missing something here? I was under the impression that keychain data is retained even after an uninstall. Seems to work this way on iOS. Any suggestions would be appreciated.
In my case I would expect the data being wiped out but not happening on iOS which is what I wanted to report
-
iOS won't wipe keychain app associated data on app uninstall. But by default this is not saved on iCloud but on device itself so if you change your device you won't find the data.
-
Android won't persist data (this does not work like iOS keychain). In Android maybe
android:allowBackup="true"(I did not try) should do the trick. InAndroidManifest.xml:
<application
android:name=".MainApplication"
android:label="@string/app_name"
android:icon="@mipmap/ic_launcher"
android:allowBackup="true"
allowBackup is already set to true for my app. Looks like I was operating with the misunderstanding that the keychain would be persisted and available even after an app uninstall.
With a combination of AsyncStorage and some simple encryption algorithm, one can easily achieve this functionality on both platforms. Would it be possible to shed some light on the use cases where this library comes in handy on an Android device given that the data isn't persisted?
This behaviour breaks the feature parity between iOS and Android. People would expect that the library works the same way on both platforms. So I think it should be fixed in this library (i.e. wipe out credentials on both iOS and Android) or at least documented.
Related issue: #87
I have been looking into this as well. It does not look like we can get persistent "keychain" data on Android after an app uninstall. The encrypted data itself is stored in SharedPreferences which is by default deleted on app uninstall. In theory, this could get backed up/restored using Android's Auto Backup feature (though I could not get even this to work). However, the keystore entries also get deleted on app uninstall, so even if we had the data, we could not decrypt them without the keys. I think I've got that right.
With a combination of AsyncStorage and some simple encryption algorithm, one can easily achieve this functionality on both platforms.
I'm not a security expert, but I'd like to try to answer this for my own edification because I've been asking myself similar questions lately.
You could totally do this in React Native, however, what I have come to understand is that doing it this way is in practice inherently insecure. AsyncStorage is not a secure storage container, meaning someone with access to your phone or a malicious app could read the data. But who cares about that because it is encrypted, right? Then, the question is where to put your keys? You can't put them anywhere in your source code because apps can get statically analyzed and reverse engineered. You could put them in your database, but then it exposes your keys to the internet in general, not to mention all of your developers who might like to snoop on users.
Things like Android Keystore exist to prevent all of the above and ensure that no one could possibly read secure data except for the person who created it. The benefit is admittedly non-obvious for the trouble, but that's how I've been thinking of this.
Other similar libraries provide an option to clear or keep on uninstall. https://www.npmjs.com/package/react-native-secure-key-store
Clearing data should be the default in my opinion.
@sujayjaju seems setResetOnAppUninstallTo implemented in react-native-secure-key-store only for iOS. I not found this method here.
I would to have something like setResetOnAppUninstallTo in react-native-keychain.
+1 does nobody else care about this? I understand that this is not the most qualified comment, but it's weird that not even a discussion arises and there's no input whatsoever from the maintainers... :/
Other similar libraries provide an option to clear or keep on uninstall. https://www.npmjs.com/package/react-native-secure-key-store
Clearing data should be the default in my opinion.
can we apply the method from the library above on this keychain library?
You can use the Settings API which is a wrapper for NSUserDefaults on iOS (gets cleared on delete) https://reactnative.dev/docs/settings
One solutions might look like this in your App.tsx:
useEffect(() => {
if(!Settings.get('hasOpened')){
await Keychain.resetGenericPassword({service: KEY_HERE})
//TODO: Update Login state here
Settings.set({hasOpened: true})
}
},[])
Inspired from this: https://stackoverflow.com/questions/4747404/delete-keychain-items-when-an-app-is-uninstalled
*This doesn't wipe data on uninstall but it does on reinstall, which is effectively what I needed. Just in case it's helpful for others.
How to keep data keychain Android when swipe or reinstall App . I try setInternetCredentials but not work
wow...no one can answer how to persist data on android in like 5 years?
https://github.com/oblador/react-native-keychain/issues/135#issuecomment-534081526
But it actually doesn't delete on uninstall rather let's say it deletes keychain when the app is reinstalled back later based on the config provided https://github.com/pradeep1991singh/react-native-secure-key-store/issues/55#issuecomment-522554547
I'm not really like expo, but expo-secure-store actually support saved data when App is uninstall for both Android and iOS (It not use keychain in iOS though). So there should be a way...
