Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address security concerns with react-native-keychain #1616

Closed
4 tasks done
JeanlChristophe opened this issue Mar 26, 2024 · 1 comment
Closed
4 tasks done

Address security concerns with react-native-keychain #1616

JeanlChristophe opened this issue Mar 26, 2024 · 1 comment
Assignees
@ovitrif
Milestone
Audit phase 1

Comments

@JeanlChristophe
Copy link

JeanlChristophe commented Mar 26, 2024
edited by ovitrif

There are some security concerns related to our integration / usage of react-native-keychain, especially with regards to Android.

Subtasks

2. Consider making use of accessibility, access groups for both platforms

Status

  • Acknowledged but warrants no changes in our view.

Not seeing this as needed for our use case, here's why:

  • In Bitkit we already enable biometrics as an option, so there won't be any way to access and decrypt the keychain data. Though, presumably someone could get it provided they have the Bitkit specific info for writing the data.

Available Options

If we decide to implement this, below are the settings we can use both for iOS and Android.

1. Access Control

Image

2. Accessibility

Image
  • 3. Consider enforcing highest securityLevel when storing/retrieving encrypted data
    • This is entirely redundant, the library has an auto mechanism to determine the best possible securityLevel when none is specified from TypeScript, which is how we're using it in keychain.ts.
  • 4. Review the usage of SharedPreferences, which are deemed deprecated, and assess whether this needs to be addressed.

Details

4. SharedPreferences usage in react-native-keychain Android

The library uses plain old SharedPreferences to store encrypted data via the API method that we're using in Bitkit, ie. Keychain.setGenericPassword(…).

While the claims of this posing security concerns feel far-fetched to me, it's nonetheless nowadays recommended to use DataStore instead.

I opened a PR in react-native-keychain for this:
@JeanlChristophe JeanlChristophe added this to the Audit phase 1 milestone Mar 26, 2024
@catch-21
Copy link
Contributor

This was merged about a month ago, see #1611. I've been testing Bitkit v1.0.0-beta.113 for the past week, which includes this change. Pin/biometric has been covered quite extensively so I'm satisfied with the regression check coverage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ovitrif ovitrif

Labels
None yet
Projects
None yet
Milestone
Audit phase 1
Development

No branches or pull requests
3 participants
@ovitrif @JeanlChristophe @catch-21