React Native - Sensitive Data

Question

We are building a mobile application using React-Native and need to embedd some sensitive data such as client secret keys/passwords into the mobile application itself.

What is the standard practice on this in terms of security (hardest to reverse-engineer)? Should the data be at native code level as constants, resource files or react native javascript files?

Answer 1

You could use a library like react-native-keychain, which uses the native keychain libraries on iOS and Android.

Answer 2

Old question but really, the answer is obvious and I'm very surprised by the other answers you've got.

...need to embedd some sensitive data such as client secret keys/passwords into the mobile application itself.

NO. You do not need to do this. This is poor design on so many levels, not only security wise because you are giving away your secrets. What happens when your client secret is leaked and you need to quickly replace it. Do you want to call all your users and ask them to please upgrade?

If you need to call third party services then really you need to make a proxy service that authenticates the user based on their credentials and then fetches the information with whatever client authentication you have.

This is not different from any other client -> server architecture. Anything that is on the client you can assume WILL be reverse engineered. It is not even very hard to do.