在 React Native 中保存敏感数据 [英] Save sensitive data in React Native
问题描述
我正在构建一个 React Native 应用程序,我需要保存一些敏感数据,例如令牌和刷新令牌.显而易见的解决方案是使用 AsyncStorage 保存该信息.问题是 AsyncStorage 的安全级别.
I am building a React Native application and I need to save some sensitive data like a token and a refresh token. The obvious solution is to save that information using AsyncStorage. The problem is the security level of the AsyncStorage.
AsyncStorage 提供了一种在本地存储令牌和数据的方法.它可以在某些方面,与 LocalStorage 选项相比.在全生产应用,建议不要访问AsyncStorage直接,而是使用抽象层,因为 AsyncStorage 是与使用同一浏览器的其他应用程序共享,因此从仓库中取出所有物品可能会损害相邻应用的功能.
AsyncStorage provides a way to locally store tokens and data. It can be, in some ways, compared to a LocalStorage option. In full production applications, it is recommended to not access AsyncStorage directly, but instead, to use an abstraction layer, as AsyncStorage is shared with other apps using the same browser, and thus an ill-conceieved removal of all items from storage could impair the functioning of neighboring apps.
https://auth0.com/blog/adding-authentication-to-react-native-using-jwt/
在本机应用程序中,我会在 iOS 中使用 Keychain 并在 私有模式 中使用 Shared Preferences安卓.
In a native app, I would go for Keychain in iOS and Shared Preferences in private mode in Android.
对于我在 React Native 提供的文档中读到的内容:
For what I read in the documentation provided by React Native:
在 iOS 上,AsyncStorage 由存储小值的本机代码支持在序列化的字典和单独文件中的较大值中.在Android,AsyncStorage 将根据什么使用 RocksDB 或 SQLite可用.
On iOS, AsyncStorage is backed by native code that stores small values in a serialized dictionary and larger values in separate files. On Android, AsyncStorage will use either RocksDB or SQLite based on what is available.
https://facebook.github.io/react-native/docs/asyncstorage.html
他们从不谈论数据的安全性.
They never talk about the security of that data.
为Android(在私有模式中使用Shared Preferences)创建一个模块是最好的解决方案,另一个为iOS创建一个模块(使用Keychain)来保存合理的数据?或者使用提供的 AsyncStorage 方法是否安全?
It is the best solution create a module for Android (that uses Shared Preferences in private mode) and another for iOS (that uses Keychain) to save the sensible data? Or it is safe to use the AsyncStorage methods provided?
推荐答案
只要深入研究 React Native 代码,我就找到了答案.
Just digging into the React Native code, I found the answer.
安卓
React Native AsyncStorage 模块实现基于 SQLiteOpenHelper.处理所有数据类的包:https://github.com/facebook/react-native/tree/master/ReactAndroid/src/main/java/com/facebook/react/modules/storage
The React Native AsyncStoragemodule implementation is based on SQLiteOpenHelper.
The package where all the data classes are handled: https://github.com/facebook/react-native/tree/master/ReactAndroid/src/main/java/com/facebook/react/modules/storage
The class with the instructions to create the database: https://github.com/facebook/react-native/blob/master/ReactAndroid/src/main/java/com/facebook/react/modules/storage/ReactDatabaseSupplier.java
Android 文档中,应用程序创建的数据库保存在关联应用程序的私有磁盘空间中,因此是安全的.
By the Android documentation, the databases created by the application are saved in private disk space that's associated application, so it is secure.
就像您保存在设备内部存储中的文件一样,Android 将您的数据库存储在关联的私有磁盘空间中应用.您的数据是安全的,因为默认情况下该区域不是其他应用程序可以访问.
Just like files that you save on the device's internal storage, Android stores your database in private disk space that's associated application. Your data is secure, because by default this area is not accessible to other applications.
iOS
在 iOS 中,AsyncStorage 值保存在序列化的字典文件中.这些文件保存在应用程序 NSDocumentDirectory 中.在 iOS 中,所有应用程序都位于自己的沙箱中,因此一个应用程序的所有文件都是安全的,其他应用程序无法访问它们.
In iOS the AsyncStorage values are saved in serialized dictionary files. Those files are saved in the application NSDocumentDirectory. In iOS all applications live in their own sandbox, so all files of one application are secured, they cannot be accessed by the other applications.
iOS 中处理 AsyncStorage 模块的代码可以在这里找到:https://github.com/facebook/react-native/blob/master/React/Modules/RCTAsyncLocalStorage.m
The code in iOS that handles the AsyncStorage module can be found here: https://github.com/facebook/react-native/blob/master/React/Modules/RCTAsyncLocalStorage.m
正如我们所看到的此处 用于存储AsyncStorage 保存的值的文件保存在NSDocumentDirectory 下(在应用程序沙箱环境中).
And as we can see here the files used to store the values saved by the AsyncStorage are saved under the NSDocumentDirectory (inside the application sandbox environment).
每个应用程序都是一个岛 iOS 应用程序与文件系统的交互主要限于应用程序沙箱内的目录.期间安装新应用程序时,安装程序会创建许多应用程序的容器.每个容器都有特定的角色.捆绑容器保存应用程序的包,而数据容器保存应用程序和用户的数据.数据容器是进一步分为多个目录,应用程序可以使用这些目录对其数据进行排序和组织.该应用程序还可能请求访问额外的容器——例如,iCloud 容器——在运行时.
Every App Is an Island An iOS app’s interactions with the file system are limited mostly to the directories inside the app’s sandbox. During installation of a new app, the installer creates a number of containers for the app. Each container has a specific role. The bundle container holds the app’s bundle, whereas the data container holds data for both the application and the user. The data container is further divided into a number of directories that the app can use to sort and organize its data. The app may also request access to additional containers—for example, the iCloud container—at runtime.
结论
使用 AsyncStorage 来保存用户令牌是安全的,因为它们保存在安全的上下文中.
It is safe to use AsyncStorage to save user tokens, since they are saved under a secure context.
请注意,这仅适用于没有 root 的 Android 设备和没有越狱的 iOS 设备.另请注意,如果攻击者对设备具有物理访问并且设备不受保护.他可以将设备连接到mac笔记本电脑,并解压文档目录,查看文档目录下保存的所有内容.
Please note that this is only true for Android devices without root and for iOS devices without jailbreak. Please also note that if the attacker has physical access to the device and the device is not protected. He can connect the device to the mac laptop and extract the documents directory and see all the contents saved under the documents directory.
这篇关于在 React Native 中保存敏感数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
