Question [Security]: using AsyncStorage to store token

vmurin / react-native-azure-auth

React Native library implementing Azure AD OAuth2 API

MIT License

85 stars 65 forks source link

Question [Security]: using AsyncStorage to store token #62

Open oferRounds opened 4 years ago

oferRounds commented 4 years ago

Hi @vmurin

I see that the library is using AsyncStorage to store to the token, and was wondering, as AsyncStorage does not store data in a secure way, is this a problem?

Was reading this lately: richardkotze.com/coding/send-jwt-client-apollo-graphql#securely-storing-jwt-tokens

oferRounds commented 4 years ago

One good option IMO is to use: https://github.com/oblador/react-native-keychain

vmurin commented 4 years ago

Hi @oferRounds

on one side you have referenced article about much more insecure localStorage not AsyncStorage ;)
on other side you are absolutely right - AsyncStorage is unencrypted storage and if your device is stolen and has unencrypted disk some one can access the file system and read the values in store. But AsyncStorage is secure enough if you did not loos your device. It means - it can not be accessed from another app.
I will consider to switch to more secure storage

oferRounds commented 4 years ago

Yes, you are right - I referenced it as related to storing token on a client in general, in an unencrypted way I wasn’t aware that localStorage is a lot worse (Coming from the native mobile in my roots, not from the web) Anyhow, thanks! Sounds good

vmurin commented 4 years ago

localStorage is a part of web browser API, it is not bound to any mobile app and there are many known attack ways to access data in localStorage, that does not meant to be accessible by anyone except owner.

In contrary AsyncStorage is a React Native feature backed under the hood by different native storage types on iOS and Android. It is not accessible from other apps, it is bound to your app, i.e. it will be cleared (the related part of it) if the app has being uninstalled. So in a some way it is secure ;)

Anyway it is recommended to use something like react-native-keychain for a sensible data like tokens as you wrote.

Thanks for pointing this out!

oferRounds commented 4 years ago

Got you @vmurin, good to learn this info about the localStorage

And thanks for always welcoming the feedback!

josethz00 commented 1 year ago

I read the discussion, and I think I will switch from AsyncStorage to Keychain, but I am concerned about performance. Is Keychain's performance similar to Async Storage?

vmurin commented 1 year ago

I did't googled for performance comparison between AsyncStorage and Keychain. But I suppose the performance in this case is not an issue. All network response times during auth process are much bigger.