Salesforce Mobile SDK SmartStore Encryption (React-Native)

[mingfeng-alphline]

Our team recently developed a custom mobile app using Salesforce Mobile SDK (version 12.0.1) and utilized the SmartStore feature for local data storage. After conducting a penetration test on the app, we discovered that the SmartStore database files are not encrypted.

We would like to understand if there is a built-in way to enable encryption for SmartStore within the Salesforce Mobile SDK or if additional configuration is required on our end.

Questions:

Does the SF Mobile SDK ensure that all data within SmartStore soups is encrypted automatically, or are there certain data types or fields that require manual encryption? How can we verify that the encryption is successfully applied to SmartStore soups, both globally and at the field level? Are there any known limitations or bugs in the current version of the Salesforce Mobile SDK (12.0.1) we are using related to data encryption in SmartStore? Is there any additional configuration needed in the React Native app to fully encrypt data for each SmartStore soup? Below is the screenshot of the code on how to register the soup.

[wmathurin]

SmartStore uses SQLCipher as its database which takes care of encrypting all the data at rest.

For more information on local data encryption in Mobile SDK see https://help.salesforce.com/s/articleView?id=sf.mobile_security_local_data.htm&type=5

The documentation talks about Salesforce Mobile App (which uses Salesforce Mobile SDK for its local data storage and encryption).

For more information on SQLCipher see https://www.zetetic.net/sqlcipher/

[mingfeng-alphline]

I ran through the SalesForce Mobile SDK - React Native code and didn't find any encryption method. Based on my understanding of the SDK - React Native is called the native module from the SalesForce Mobile SDK - Android/ iOS, but there are no methods called the smartstore encryption function.

Question

1. Is all data within SmartStore soups encrypted automatically, or are there certain data types or fields that require manual encryption?

2. Is the encryption applied to SmartStore soups, both global and user stores?

[wmathurin]

We do have encryption methods and classes - we used them for encrypting files and other sensitive data like oauth tokens. The most sensitive data is stored using whatever the platform offers (e.g. secure enclave on iOS). If you look at the SmartStore code, you should see the code where we generate the encryption key and pass it to SQLCipher. All data in SmartStore is encrypted at rest (it does not matter if it is global or user store).

You might have been looking in the wrong place? You won't find any of the relevant code in this repo.

For the Mobile SDK side check out:

• https://github.com/forcedotcom/SalesforceMobileSDK-Android
• https://github.com/forcedotcom/SalesforceMobileSDK-iOS

If you want to see how SQLCipher does it:

• https://github.com/sqlcipher/sqlcipher
• https://github.com/sqlcipher/sqlcipher-android