Reputation: 2322
Where are secure locations to store encryption keys in a react-native app?
I have a react-native app that communicates with a server that makes calls to stripe for payment processing/customer creation. I want to ensure that requests are coming only from my app. so i figured i could create a token of sorts on the client, and encrypt it with a special key using b-crypt, then on the server side when the request comes in with the encrypted token as a parameter, i can decrypt that token with the same special key.
i understand the optimal place to store this key is in the env variables server-side, but how do you manage security of a secret key client-side in a react-native app?
Upvotes: 2
Views: 3219
Answers (2)
Reputation: 2322
After further research, I ended up revoking the accepted status of @GuruparanGiritharan. his solution (react-native-keychain) dealt with storing passwords in an OS's keychain implementation. this ended up not being the solution for my question. as my question deals with storing secrets keys in a way they wouldn't be visible in binary, de-compiling situation.
What I did was research key management services. I found this:
Handling secrets with dotenv
In Node.js secrets are usually loaded from env files using the dotenv module. This is done in order to separate the secrets from source code. For example an env file might look like this (reference below):
DB_HOST=localhost
DB_USER=root
DB_PASS=s1mpl3
Now doing this in a context (potentially development) where you dont need to implement continuous integration, it's referred to a "manual provisioning"
My issue (admittedly, I did not specify a production environment in my question) is when it comes to a production environment, in my case, with visual studio app center (a CI option for React-Native apps)
Continuing on this site for an option for key management services:
While this removes hardcoded secrets from source code, it doesn’t solve your problem completely; Now you need to find a way to provision your app with the .env file. This guide will show how you can remove the secrets from the .env file altogether, so that it can be safely checked into source control and shipped with your application.
This guide is discussing how to implement key management in the context of a production environment with continuous integration. This approach is relatively simple and straightforward, as all you need to do is create an .env file, add the keys with a variable, and add (in this tool's case) an additional run script to your main node.js start script.
Tool mentioned: SecretHub https://secrethub.io/docs/guides/nodejs/
Upvotes: -2
Reputation: 16334
There are several ways to store keys on the client side.
The easiest way is to use the Async storage which stores data in a key value pair. The problem with Async storage is that its nor encrypted so it wont suit your requirement.
The other option is to use the react-native-keychain library which stores the passwords or keys in the securely in the keychain of IOS and keystore in Android. The security part will be managed by the operating system. So this is an approach that can be recommended for your requirement.
There are multiple ways to do this, these are just two options.
Upvotes: 3
Related Questions
- What is the most secure way store keys in React Native
- Where to store user's credentials in React Native Mobile App
- Where should I save User and Password values of my React-Native App?
- React Native redux-persist encryption key generation
- Where to store data locally to be persistent and safe using React Native without using cloud services?
- Storing api keys
- What is the best way to store private data in react-native?
- Encryptions handled in react native
- How to securely store secret keys on react-native client side?
- proper location for public/private keys in my React development app?