Menu
I'd like to persist a user's account credentials (i.e. username and password) in my React Native app. Should I use AsyncStorage?
In other words, I want to know if and how AsyncStorage protects its contents. The docs are silent on that.
(I'm using RN v0.28)
251
As described on React Native's website: “AsyncStorage is an unencrypted, asynchronous, persistent, key-value storage system that is global to the app.”
Async Storage is a community-maintained module for React Native that provides an asynchronous, unencrypted, key-value store. Async Storage is not shared between apps: every app has its own sandbox environment and has no access to data from other apps.
On iOS, AsyncStorage is backed by native code that stores small values in a serialized dictionary and larger values in separate files. On Android, AsyncStorage will use either RocksDB or SQLite based on what is available.
Motivation Current Async Storage's size is set to 6MB. Going over this limit causes database or disk is full error. This 6MB limit is a sane limit to protect the user from the app storing too much data in the database.
You should NEVER save the username and password in plain text in client applications. Please note, never save sensitive data in plain text. You should use a token to authenticate the user.
Regarding the security of the AsyncStorage read this answer. TL;DR the data is safe unless the attacker have access to the device or the device is rooted(android)/jailbroken(iOS). The data is not encrypted. So, with root or physical access to the device (and the device is not protected) it is possible to access to that data.
160
Is AsyncStorage secure?
No AsyncStorage is not secure, the docs says:
AsyncStorage is a simple, unencrypted, asynchronous, persistent, key-value storage system that is global to the app. It should be used instead of LocalStorage.
To store secure information on the native side, I really recommand you to use react-native-keychain with react-native
For iOS it use Keychain Sharing Capabilities
For Android it use:
This is a simple example:
// Generic Password, service argument optional
Keychain
.setGenericPassword(username, password)
.then(function() {
console.log('Credentials saved successfully!');
});
// service argument optional
Keychain
.getGenericPassword()
.then(function(credentials) {
console.log('Credentials successfully loaded for user ' + credentials.username);
}).catch(function(error) {
console.log('Keychain couldn\'t be accessed! Maybe no value set?', error);
});
If you are using Expo sdk, you can use SecureStore for sensitive information.
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
