In 2020, global mobile app revenues amounted to over 581 billion U.S. dollars. In 2023, mobile apps are projected to generate more than 935 billion U.S. dollars in revenues via paid downloads and in-app advertising base on the investigation published by Statista Research Department, Feb 4, 2021.
In the same way, McAfee Mobile Threat Report 2020 said that Hackers are taking advantage of this popularity to distributing their malicious apps and mobile apps are now a unique approach to steal sensitive data. Consequently, anyone who is working on developing mobile apps must always consider security.
Additionally, OWASP Mobile Top 10 show the most common vulnerabilities found in mobile apps:
- M1: Improper Platform Usage: This category covers misuse of a platform feature or failure to use platform security controls. It might include Android intents, platform permissions, misuse of TouchID, the Keychain, or some other security control that is part of the mobile operating system.
- M2: Insecure Data Storage
- M3: Insecure Communication
- M4: Insecure Authentication
- M5: Insufficient Cryptography
To significantly reduce the likelihood of a security breach in your application, I recommend focusing on 3 major areas data storage, App-Server communication, and authentication, here are some best practices base on React Native security documentation to help you secure your app when you are working with react native.
React security best practices
Data Storage
Never store sensitive information like API keys or passwords in your code, anything included in your code can be accessed easily in plain text by anyone. If you must have an API key or a secret to accessing some resource from your app, the most secure way to handle this would be to build an orchestration layer between your app and the resource.
In React Native, there are 2 types of storage and you must decide which one to use base on the sensitivity of the data.
Async Storage which the equivalent of Local Storage from the web, information is stored in plain text unencrypted, so you can use it with persisting non-sensitive data across app runs or storing global app-wide variables.
Secure Storage
iOS secure storage
Keychain Services allows you to securely store small chunks of sensitive info for the user. This is an ideal place to store certificates, tokens, passwords, and any other sensitive information that doesn’t belong in Async Storage.
Android secure storage
Android — Secure Shared Preferences
Shared Preferences is the Android equivalent for a persistent key-value data store. Data in Shared Preferences is not encrypted by default, but Encrypted Shared Preferences wraps the Shared Preferences class for Android, and automatically encrypts keys and values.
Android — Keystore
The Android Keystore system lets you store cryptographic keys in a container to make them more difficult to extract from the device.
App-Server Communication
Network security is one of the prime concerns of the developers because apps usually need to communicate with a backend endpoint, and very common that users are more careless about the security of networks that they are connecting to when using their phones.
To improve security in app-server communication here are some best practices:
- API’s should always use HTTPS with TLS (latest version if possible)
- Use the SSL pinning technique to avoid a man-in-the-middle attack.
Authentication
The recommendation from React Native documentation is to use the OAuth2 authentication protocol, prided as the most complete and secure protocol. A library to consider for native OAuth is react-native-app-auth. React-native-app-auth is an SDK for communicating with OAuth2 providers. It wraps the native AppAuth-iOS and AppAuth-Android libraries and can support PKCE. For more info about this protocol, you can visit their page here.
Final recommendations
- To avoid improper platform usage(M1) is always important to review the framework’s documentation and follow best coding practices.
- If you need to grant permissions to your application, it is important to use the principle of least privilege to avoid giving more permissions than necessary
Conclusion
React Native is one of the most popular and efficient app-building frameworks, with this article you now have a better idea about the most common vulnerabilities in mobile applications and how to handle security in React Native, giving you a point to start to reduce the likelihood of a security breach and protect your users, your company reputation as well as improves the quality of your apps.
References
- Department, P., & 4, F. (2021, February 04). Mobile app REVENUES 2014–2023. Retrieved February 28, 2021, from https://www.statista.com/statistics/269025/worldwide-mobile-app-revenue-forecast/
- OWASP mobile top 10. (n.d.). Retrieved February 28, 2021, from https://owasp.org/www-project-mobile-top-10/
- Security · react native. (2021, February 01). Retrieved February 28, 2021, from https://reactnative.dev/docs/security
- McAfee mobile Threat Report. (n.d.). Retrieved February 28, 2021, from https://www.mcafee.com/content/dam/consumer/en-us/docs/2020-Mobile-Threat-Report.pdf
