I want to store sensitive data locally in a React Native app.

Is the data only available to the app that wrote it?

Solution 1

AsyncStorage is not suitable for storing sensitive information. You might find this useful: https://github.com/oblador/react-native-keychain

It uses facebook conceal/android keystore to store encrypted data to SharedPreferences (Android) and keychain on iOS. (I co-authored the lib). Be sure to read the entire readme to understand what it offers.

Solution 2

No , it is not secure since it is not encrypted .I would recommend that you use Expo`s secureStore

If you`re building your app from Expo :

// in managed apps:
import { SecureStore } from 'expo';

If you`re building as a bare app

// in bare apps:
import * as SecureStore from 'expo-secure-store';

Read more here : https://docs.expo.io/versions/v32.0.0/sdk/securestore/

Solution 3

No, AsyncStorage is not secure for sensitive data. AsyncStorage simply saves data to documents on the phone's hard drive, and therefore anyone with access to the phone's file system can read that data. Of course, whether or not this is problematic for you depends on what you mean by "senstive data."

At least on iOS, it is true that the data is only available to the app that wrote it, because of Apple's sandboxing policy. This doesn't stop jailbroken iPhones with root access to the file system from getting whatever they want, since AsyncStorage does not encrypt any of its data. But in general, don't save sensitive data to AsyncStorage, for the same reason you shouldn't hard code sensitive data in your javascript code, since it can be easily decompiled and read.

Solution 4

For very sensitive app or user data, you could try something like https://github.com/oblador/react-native-keychain on iOS(uses iOS Keychain) or https://github.com/classapp/react-native-sensitive-info for both Android and iOS(uses Android Shared Preference and iOS Keychain).

Both of them come with very fluent API and straightforward way of linking with react-native link and are a more secure way of preserving data you want to keep away from prying eyes.

Solution 5

I've faced the same problem on a project I was working on, we were using a custom wrapper for AsyncStorage, stored some amount of data and then we tried to retrieve the same data... and it was so easy.

We get over that problem by using Realm with the encryption option and it was a easier, faster and better solution than AsyncStorage.

Solution 6

No it is not secure. Consider using library like https://github.com/oblador/react-native-keychain for secure storage.

If you're using Expo you can use Expo.SecureStore to encrypt and securely store keyvalue pairs locally on the device. Documentation: https://docs.expo.io/versions/latest/sdk/securestore

Solution 7

I have created a secure storage module for redux-persist that uses react-native-keychain to store an encryption key and uses CryptoJS to encrypt the redux-store at rest in AsyncStorage. You can find the module at:

redux-persist-encrypted-async-storage

Its usage is discussed in the readme at the link.

Solution 8

From react-native doc - https://facebook.github.io/react-native/docs/asyncstorage.html

AsyncStorage is a simple, unencrypted, asynchronous, persistent, key-value storage system that is global to the app.

Its not secure as it stores key-value pairs in unencrypted form on device.

It used keychain for iOS and KeyStore for Android for storing data securely.

Solution 9

If you are still searching for this one.
try using react-native-encrypted-storage they have some encryption.
react-native-encrypted-storage
its so simple as async storage