Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Safe to store access token inside AsyncStorage?

I am looking at storing a user access token within a React Native application. Initially I have been looking at Redux but instead I noticed that RN has AsyncStorage, now I am assuming that this in the case of IOS is the equivalent of NSUserDefaults. I may be wrong.

Would this be a good way to store the access token? I don't really want to go through the process of using Redux if I can help it for simple data storage.

like image 974
ORStudios Avatar asked May 30 '17 15:05

ORStudios


People also ask

How do I store access token securely?

Option 1: Store your access token in localStorage : prone to XSS. Option 2: Store your access token in httpOnly cookie: prone to CSRF but can be mitigated, a bit better in terms of exposure to XSS. Option 3: Store your refresh token in httpOnly cookie: safe from CSRF, a bit better in terms of exposure to XSS.

Is AsyncStorage secure?

According to official RN docs, AsyncStorage is an asynchronous and unencrypted key-value store. Because it is unencrypted, nothing persisted in AsyncStorage should be considered as secured.

Should access tokens be stored?

There is no need to store it. You can validate it and get the data from it that you required. If your app needs to call APIs on behalf of the user, access tokens and (optionally) refresh tokens are needed. These can be stored server-side or in a session cookie.

Is AsyncStorage deprecated?

Deprecated. Use one of the community packages instead. AsyncStorage is an unencrypted, asynchronous, persistent, key-value storage system that is global to the app. It should be used instead of LocalStorage.


3 Answers

AsyncStorage may not be the good solution, depend how your server handle your request.

However you can use Redux, and Redux-persist, using the transform parameter you can encrypt your data,

https://github.com/rt2zz/redux-persist#transforms

key encryption : https://github.com/maxdeviant/redux-persist-transform-encrypt

You will still use AsyncStorage, but this time with encryption layer, to protect your data

like image 140
Mace Antoine Avatar answered Oct 23 '22 02:10

Mace Antoine


Redux is about data flow control. Not necessarily long term storage. If you want to persist redux data you will end up using AsyncStorage to do so.

AsyncStorage is sandboxed on non-jailbroken iOS devices. However, the data is not encrypted in any way.

A more secure solution for both platforms seems to be https://github.com/pradeep1991singh/react-native-secure-key-store

like image 42
Travis White Avatar answered Oct 23 '22 01:10

Travis White


AsyncStorage is not safe for sensitive information. Read more here

In you use case, It will be better to use Firebase services to get token. When app starts , you can do something like

var auth = firebase.auth().onAuthStateChanged(function(user) {
  if (user) {
    user.getIdToken().then(function(data) {
      console.log(data)
      // Save it redux, or component state(in that case you need to do this in every component where token will be used

     // Unsubscribe from listener 
     auth()
    });
  } else {
    // User is not authenticated
    // Unsubscribe from listener 
     auth()
  }
});
like image 29
Priyesh Kumar Avatar answered Oct 23 '22 01:10

Priyesh Kumar