Is React Native's Async Storage secure? - react-native

I want to store sensitive data locally in a React Native app.
Is the data only available to the app that wrote it?

AsyncStorage is not suitable for storing sensitive information. You might find this useful: https://github.com/oblador/react-native-keychain
It uses facebook conceal/android keystore to store encrypted data to SharedPreferences (Android) and keychain on iOS. (I co-authored the lib). Be sure to read the entire readme to understand what it offers.

No , it is not secure since it is not encrypted .I would recommend that you use Expo`s secureStore
If you`re building your app from Expo :
// in managed apps:
import { SecureStore } from 'expo';
If you`re building as a bare app
// in bare apps:
import * as SecureStore from 'expo-secure-store';
Read more here : https://docs.expo.io/versions/v32.0.0/sdk/securestore/

No, AsyncStorage is not secure for sensitive data. AsyncStorage simply saves data to documents on the phone's hard drive, and therefore anyone with access to the phone's file system can read that data. Of course, whether or not this is problematic for you depends on what you mean by "senstive data."
At least on iOS, it is true that the data is only available to the app that wrote it, because of Apple's sandboxing policy. This doesn't stop jailbroken iPhones with root access to the file system from getting whatever they want, since AsyncStorage does not encrypt any of its data. But in general, don't save sensitive data to AsyncStorage, for the same reason you shouldn't hard code sensitive data in your javascript code, since it can be easily decompiled and read.

For very sensitive app or user data, you could try something like https://github.com/oblador/react-native-keychain on iOS(uses iOS Keychain) or https://github.com/classapp/react-native-sensitive-info for both Android and iOS(uses Android Shared Preference and iOS Keychain).
Both of them come with very fluent API and straightforward way of linking with react-native link and are a more secure way of preserving data you want to keep away from prying eyes.

I've faced the same problem on a project I was working on, we were using a custom wrapper for AsyncStorage, stored some amount of data and then we tried to retrieve the same data... and it was so easy.
We get over that problem by using Realm with the encryption option and it was a easier, faster and better solution than AsyncStorage.

No it is not secure. Consider using library like https://github.com/oblador/react-native-keychain for secure storage.
If you're using Expo you can use Expo.SecureStore to encrypt and securely store key–value pairs locally on the device. Documentation: https://docs.expo.io/versions/latest/sdk/securestore

I have created a secure storage module for redux-persist that uses react-native-keychain to store an encryption key and uses CryptoJS to encrypt the redux-store at rest in AsyncStorage. You can find the module at:
redux-persist-encrypted-async-storage
Its usage is discussed in the readme at the link.

From react-native doc - https://facebook.github.io/react-native/docs/asyncstorage.html
AsyncStorage is a simple, unencrypted, asynchronous, persistent, key-value storage system that is global to the app.
Its not secure as it stores key-value pairs in unencrypted form on device.
Checkcout - https://www.npmjs.com/package/react-native-secure-key-store.
It used keychain for iOS and KeyStore for Android for storing data securely.

If you are still searching for this one.
try using react-native-encrypted-storage they have some encryption.
react-native-encrypted-storage
its so simple as async storage

Related

How to store local private user data with React Native app?

I'm about to start working on a expense tracker app for mobile and I would like to use React Native with Expo (pretty new to mobile techs). Maybe I will share it with some friends or other people and the question that cames up is where to store their data (in this case is sensitive as they will register their money's movement).
What I mean is, I could use any cloud DB (Mongo, Firestore, etc) but I will have access to everything they register there and I wouldn't like that, just for security and their privacy sake.
So, is there a way to store their data or everything they register locally in their phones? So the app can only access to the data that is stored there and I can't see it. Or any other possibility?
I found the AsyncStorage API but I don't know if this is the correct approach for what I'm looking for. I didn't code anything yet as I don't know which would be the right path.
You can use Secure Store since you're using expo.
expo-secure-store provides a way to encrypt and securely store key–value pairs locally on the device. Each Expo project has a separate storage system and has no access to the storage of other Expo projects.
See https://docs.expo.dev/versions/latest/sdk/securestore/
I had a similar case and i went for realm.js .

Switching storage library in React Native

I'm switching from the AsyncStorage to the MMKV storage library and I'd like to know the best way to remove the old AsyncStorage data from the devices of my users. I don't need to migrate any data.
I know I could just call AsyncStorage.clear(), but ideally I'd like to remove the library completely from my project. If I remove AsyncStorage, does all data created on the device by it get deleted as well? If not, is there another way to clear the old storage which I'm not aware of?
Appreciate your input!

Best way to use Offline storage for images in React Native

I'm stuck for making my react native app offline for storing the images.
what is the best way to use, shall i go with AsyncStorage, Real m, CouchDB or WatermelonDB.
Actually i am new to React Native, so i want to use the best solution.
Please help me.
Thanks in advance.
By the common ways. There are no databases actually store media. They actually save media files in physic / cloud servers and store only access url in database.
So, to achieve your technical goal. You can use react-native-fs to interact with your media files. And save their url into your database like Realm, PouchDB, AsyncStorage.
I think AsyncStorage is simple to setup and suitable for save media url.

Migrating from Firebase JS SDK (Web) to react-native-firebase for offline storage

I have been using Firebase Web SDK for my react-native app (I am using FIRESTORE to store the data). Up to this point, I have had no problems. It all works smoothly. But now I want to add some kind of offline storage mechanism to my app so that I could still offer some functionality or display some content that was cached from the last connected session even if my users are offline. After some investigation, I have the impression that react-native-firebase is the preferred way to go. Now I have some questions and I like to get some advice from the experienced.
Is react-native-firebase the only option to go? I have quickly read about AsyncStorage and it is just a key-value storage. Considering the simplest thing I want to do is page through a list of firestore documents, this kind of storage seems not to be suitable to do this offline. Like If I wanted to do this with AsyncStorage I would have to put all the content (maybe hundreds of documents) I get from the firestore backend, persist them as a single string value, fetch them back, parse them, page them etc. And write custom logic& methods for all these.
If I was to use react-native-firebase, just enabling the offline storage -I assume- takes care of this for you and you don't have to write any custom logic for offline storage usage. I assume the data that has persisted for offline usage has the same structure as it does in firestore database. I feel like If I use anything other than react-native-firebase, I would have to handle all the custom logic for persisting, reading and rendering the data offline myself. Is that right?
The biggest concern I have is the amount of code refactoring that might be required. I have many lines of code and so many .get().then() like lines where I get and render the data from firestore. In the documentation of react-native-firebase it says:
...aims to mirror the official Firebase Web SDK as closely as
possible.
I am not sure to what extent this is true. I have checked the react-native-firebase's firestore module's reference documentation but I just can't tell how many of these querying methods are actually supported.
So, the way to go is react-native-firebase's way? Would it take a heavy toll on me trying to refactor the existing code? Any similar experience do you have?
I would appreciate any help.
Thanks a lot...
Maintainer of the react-native-firebase library here.
...aims to mirror the official Firebase Web SDK as closely as possible.
This is a minor disclaimer as there are some differences between the two, mainly down to how certain things have to be implemented with React Native.
For example, enablePersistence does not exist on RNFB. Instead, persistence is enabled by default and can be toggled off (or on) via settings().
Is react-native-firebase the only option to go? I have quickly read about AsyncStorage and it is just a key-value storage. Considering the simplest thing I want to do is page through a list of firestore documents, this kind of storage seems not to be suitable to do this offline. Like If I wanted to do this with AsyncStorage I would have to put all the content (maybe hundreds of documents) I get from the firestore backend, persist them as a single string value, fetch them back, parse them, page them etc. And write custom logic& methods for all these.
This is technically possible, however there are downsides to this as you have mentioned. With Firestore, when the device goes offline (quite common on apps) and you attempt a read/write it'll read/update your local cache, which will still trigger event listeners. When the app goes back online, it'll automatically re-sync with the server for you.
If I was to use react-native-firebase, just enabling the offline storage -I assume- takes care of this for you and you don't have to write any custom logic for offline storage usage. I assume the data that has persisted for offline usage has the same structure as it does in firestore database. I feel like If I use anything other than react-native-firebase, I would have to handle all the custom logic for persisting, reading and rendering the data offline myself. Is that right?
This is all handled for you. We wrap around the native Firebase SDKs so expect the same level of consistency if you were developing a native Android/iOS app if not using React Native.
The biggest concern I have is the amount of code refactoring that might be required. I have many lines of code and so many .get().then() like lines where I get and render the data from firestore.
Generally everything is the same apart from a few minor methods for reasons mentioned above.
So, the way to go is react-native-firebase's way? Would it take a heavy toll on me trying to refactor the existing code? Any similar experience do you have? I would appreciate any help.
I'd recommend anyone developing with React Native & Firebase to use RNFB. It provides a lot of extra functionality the Web SDK cannot provide with React Native. Apart from a more cumbersome setup & changing imports, it should work very much the same.

Is there a simple Synchronous Storage option for react native?

I have a use case for synchronous storage for my react native app.
Before app renders a home view, I want to check if there is a session token stored on the local storage and proceed if it is available, otherwise want to render login component instead as the initial view.
Using sync storage will simplify the code.
I don't think there is a simple synchronous storage option. According to this answer localstorage is not implemented in the core IOS javascript engine. AFAIK the other options such as those used in this localstorage polyfill don't work. That leaves us with needing a react native module which are asynchonous by design. From the docs:
React Native bridge is asynchronous, so the only way to pass a result to JavaScript is by using callbacks or emitting events
So I think Async is the way to go.
For those who are searching for this,
I found this npm package that served this need
react-native-sync-localstorage
I have a similar situation and found Realm supports synchronous read, which is what I need. Realm is a bit big for single token storage. I use AsyncStorage for everything else. Let me know if you find a simpler solution.
There's no solution similar with Native Mobile development such as SharedPreferences in Android.
Native Way: most of the operations are synced. (such as read from storage, etc), some of the operations are async.(http request, load image)
React Native way: almost all of the operations are asynced. this is explained by #Ryan Harmuth 's answer.
So, let's start to use Redux as a solution. :)