Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question [Security]: using AsyncStorage to store token #62

Open
oferRounds opened this issue Dec 2, 2019 · 7 comments
Open

Question [Security]: using AsyncStorage to store token #62

oferRounds opened this issue Dec 2, 2019 · 7 comments
Labels
feature request A new not implemented feature is requested question Further information is requested

Comments

@oferRounds
Copy link

Hi @vmurin

I see that the library is using AsyncStorage to store to the token, and was wondering, as AsyncStorage does not store data in a secure way, is this a problem?

Was reading this lately: richardkotze.com/coding/send-jwt-client-apollo-graphql#securely-storing-jwt-tokens
@oferRounds
Copy link
Author

One good option IMO is to use: https://github.com/oblador/react-native-keychain

@vmurin
Copy link
Owner

vmurin commented Dec 2, 2019

Hi @oferRounds

  • on one side you have referenced article about much more insecure localStorage not AsyncStorage ;)
  • on other side you are absolutely right - AsyncStorage is unencrypted storage and if your device is stolen and has unencrypted disk some one can access the file system and read the values in store.
    But AsyncStorage is secure enough if you did not loos your device. It means - it can not be accessed from another app.
  • I will consider to switch to more secure storage

@vmurin vmurin added question Further information is requested feature request A new not implemented feature is requested labels Dec 2, 2019
@oferRounds
Copy link
Author

Yes, you are right - I referenced it as related to storing token on a client in general, in an unencrypted way
I wasn’t aware that localStorage is a lot worse (Coming from the native mobile in my roots, not from the web)
Anyhow, thanks! Sounds good

@vmurin
Copy link
Owner

vmurin commented Dec 2, 2019

localStorage is a part of web browser API, it is not bound to any mobile app and there are many known attack ways to access data in localStorage, that does not meant to be accessible by anyone except owner.

In contrary AsyncStorage is a React Native feature backed under the hood by different native storage types on iOS and Android. It is not accessible from other apps, it is bound to your app, i.e. it will be cleared (the related part of it) if the app has being uninstalled.
So in a some way it is secure ;)

Anyway it is recommended to use something like react-native-keychain for a sensible data like tokens as you wrote.

Thanks for pointing this out!

@oferRounds
Copy link
Author

Got you @vmurin, good to learn this info about the localStorage

And thanks for always welcoming the feedback!

@josethz00
Copy link

I read the discussion, and I think I will switch from AsyncStorage to Keychain, but I am concerned about performance. Is Keychain's performance similar to Async Storage?

@vmurin
Copy link
Owner

vmurin commented Mar 22, 2023

I did't googled for performance comparison between AsyncStorage and Keychain. But I suppose the performance in this case is not an issue. All network response times during auth process are much bigger.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request A new not implemented feature is requested question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@oferRounds @vmurin @josethz00