Easily implement usual security measures in React Native Expo apps
⚠️ Disclaimer
This package is intended to help implement a few basic security features but does not in itself guarantee that an app is secure.
Refer to OWASP's resources for more information on mobile app security.
You can also contact us if you need help with securing your app.
This package is designed for use in expo apps with development builds.
yarn add @bam.tech/react-native-app-securityAdd the config plugin to app.config.ts / app.config.js / app.json:
{
"plugins": [
[
"@bam.tech/react-native-app-security",
{
"sslPinning": {
"yahoo.com": [
"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=",
"rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE="
]
},
"preventRecentScreenshots": {
"ios": { "enabled": true },
"android": { "enabled": true }
}
}
]
]
}Anytime you change the config, don't forget to run:
yarn expo prebuild🥷 What's the threat? Attackers intercepting your app's network requests and accessing private data or sending malicious responses. More details
This package implements public key pinning using TrustKit on iOS and the certificate pinner included in OkHttp on Android.
[
"@bam.tech/react-native-app-security",
{
"sslPinning": {
// The hostname you want to pin, without `https://`
"yahoo.com": [
// The public key hashes for the pinned certificates, without a `sha256/` prefix
"TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=",
"rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE="
]
}
}
]Please note that you'll need to provide 2 public key hashes. This is to encourage having proper procedures in place to avoid locking users out, as described here in the TrustKit docs.
To pin a specific subdomain, simply include it in the string you provide, eg:
"sslPinning": {
"subdomain.domain.com": [/* ... */]
}To pin a domain and all its subdomains, use a wildcard:
"sslPinning": {
// domain.com and all its subdomains will be pinned
"*.domain.com": [/* ... */]
}The wildcard can only be used for the full lefmost part of the hostname.
These are invalid:
*domain.com,domain.*.com,sub.*.domain.com
You'll need the certificates (.cer or .crt)
openssl x509 -in certificate.cer -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64To test that SSL pinning is working as expected, you can:
yarn expo prebuild then yarn ios or yarn android to rebuild the app)🥷 What's the threat? Compromised certificate authorities. More details
None, enabled by default.
🥷 What's the threat? When the OS terminates the app, it may take a screenshot and store it on the device to display in the app switcher. This screenshot could leak sensitive data
Mitigating this threat is achieved by:
FLAG_SECURE on Android < 13Activity.setRecentScreenshotsEnabled on Android >= 13[
"@bam.tech/react-native-app-security",
{
"preventRecentScreenshots": {
"ios": { "enabled": true },
"android": { "enabled": true }
}
}
]🥷 What's the threat? A third-party keyboard might embed a malicious keylogger to record passwords and sensitive data. More details
Mitigating this threat is achieved by:
import { SafeKeyboardDetector } from "@bam.tech/react-native-app-security";
const { isInDefaultSafeList, inputMethodId } = getCurrentInputMethodInfo(); // Will always return {isInDefaultSafeList: true, inputMethodId: "iosKeyboard"} on iOS
if (!isInDefaultSafeList) {
console.warn(`Your current keyboard (${inputMethodId}) is not safe`);
}
// Prompt the user to change the current keyboard
SafeKeyboardDetector.showInputMethodPicker(); // can only be called on AndroidContributions are welcome. See the Expo modules docs for information on how to build/run/develop on the project.
When making a change to the plugin folder, you'll need to run yarn prepare before prebuilding and building the example app.
We are a 100 people company developing and designing multi-platform applications with React Native using the Lean & Agile methodology. To get more information on the solutions that would suit your needs, feel free to get in touch by email or through our contact form!
We will always answer you with pleasure 😁