在React Native中保存敏感数据 [英] Save sensitive data in React Native
问题描述
我正在构建一个React Native应用程序,我需要保存一些敏感数据,如令牌和刷新令牌。显而易见的解决方案是使用 AsyncStorage 保存该信息。问题是AsyncStorage的安全级别。
I am building a React Native application and I need to save some sensitive data like a token and a refresh token. The obvious solution is to save that information using AsyncStorage. The problem is the security level of the AsyncStorage.
AsyncStorage提供了一种本地存储令牌和数据的方法。在某些方面,它可以与LocalStorage选项相比
。在完整的
生产应用程序中,建议不要直接访问AsyncStorage
,而是使用抽象层,因为AsyncStorage是与使用相同浏览器的其他应用程序共享的
,因此
错误地从存储中移除所有物品可能会损害相邻应用程序的
功能。
AsyncStorage provides a way to locally store tokens and data. It can be, in some ways, compared to a LocalStorage option. In full production applications, it is recommended to not access AsyncStorage directly, but instead, to use an abstraction layer, as AsyncStorage is shared with other apps using the same browser, and thus an ill-conceieved removal of all items from storage could impair the functioning of neighboring apps.
https://auth0.com/blog/adding-authentication-to- react-native-using-jwt /
在原生应用中,我会选择 Keychain iOS 和共享偏好设置 私密模式 Android 。
In a native app, I would go for Keychain in iOS and Shared Preferences in private mode in Android.
我在React Native提供的文档中读到的内容:
For what I read in the documentation provided by React Native:
On iOS,AsyncStorage由本机代码支持,该代码在序列化字典中存储小值
,在单独文件中存储较大值。在
Android上,AsyncStorage将根据
可用的价格使用RocksDB或SQLite。
On iOS, AsyncStorage is backed by native code that stores small values in a serialized dictionary and larger values in separate files. On Android, AsyncStorage will use either RocksDB or SQLite based on what is available.
https://facebook.github.io/react-native/docs/asyncstorage.html
他们从不谈论数据的安全性。
They never talk about the security of that data.
这是为 Android 创建模块的最佳解决方案(使用共享首选项 私密模式)和另一个 iOS (使用 Keychain )来保存明智数据?或者使用提供的 AsyncStorage 方法是否安全?
It is the best solution create a module for Android (that uses Shared Preferences in private mode) and another for iOS (that uses Keychain) to save the sensible data? Or it is safe to use the AsyncStorage methods provided?
推荐答案
深入研究React Native代码,我找到了答案。
Just digging into the React Native code, I found the answer.
Android
React Native AsyncStorage 模块实现基于 SQLiteOpenHelper 。
处理所有数据类的包: https://github.com/facebook/react-native/tree/master/ReactAndroid/src/main/java/com/facebook/react/modules/storage
The React Native AsyncStoragemodule implementation is based on SQLiteOpenHelper.
The package where all the data classes are handled: https://github.com/facebook/react-native/tree/master/ReactAndroid/src/main/java/com/facebook/react/modules/storage
The class with the instructions to create the database: https://github.com/facebook/react-native/blob/master/ReactAndroid/src/main/java/com/facebook/react/modules/storage/ReactDatabaseSupplier.java
通过Android文档,应用程序创建的数据库保存在专用磁盘中与关联应用程序相关的空间,因此它是安全的。
By the Android documentation, the databases created by the application are saved in private disk space that's associated application, so it is secure.
就像您保存在设备内部存储上的文件一样,
Android sto将您的数据库保存在与
应用程序关联的专用磁盘空间中。您的数据是安全的,因为默认情况下,此区域不是其他应用程序可以访问的
。
Just like files that you save on the device's internal storage, Android stores your database in private disk space that's associated application. Your data is secure, because by default this area is not accessible to other applications.
iOS
在iOS中, AsyncStorage 值保存在序列化字典文件中。这些文件保存在应用程序 NSDocumentDirectory 中。在iOS中,所有应用程序都位于他们自己的沙箱中,因此一个应用程序的所有文件都是安全的,其他应用程序无法访问它们。
In iOS the AsyncStorage values are saved in serialized dictionary files. Those files are saved in the application NSDocumentDirectory. In iOS all applications live in their own sandbox, so all files of one application are secured, they cannot be accessed by the other applications.
iOS中处理 AsyncStorage 模块的代码可以在这里找到: https://github.com/facebook/react-native/blob/master/React/Modules/RCTAsyncLocalStorage.m
The code in iOS that handles the AsyncStorage module can be found here: https://github.com/facebook/react-native/blob/master/React/Modules/RCTAsyncLocalStorage.m
我们可以看到此处用于存储 AsyncStorage 保存的值的文件保存在 NSDocumentDirectory 下(在应用程序沙箱环境中)。
And as we can see here the files used to store the values saved by the AsyncStorage are saved under the NSDocumentDirectory (inside the application sandbox environment).
每个应用程序都是岛屿iOS应用程序与文件系统
的交互主要限于应用程序沙箱内的目录。在
安装新应用程序期间,安装程序会为应用程序创建许多
容器。每个容器都有特定的角色。 bundle
容器包含应用程序的包,而数据容器包含应用程序和用户的
数据。数据容器是
,进一步划分为许多目录,应用程序可以使用这些目录进行
排序并组织其数据。该应用程序还可以请求访问
其他容器 - 例如,iCloud容器 - 在运行时。
Every App Is an Island An iOS app’s interactions with the file system are limited mostly to the directories inside the app’s sandbox. During installation of a new app, the installer creates a number of containers for the app. Each container has a specific role. The bundle container holds the app’s bundle, whereas the data container holds data for both the application and the user. The data container is further divided into a number of directories that the app can use to sort and organize its data. The app may also request access to additional containers—for example, the iCloud container—at runtime.
结论
使用 AsyncStorage 进行保存是安全的用户令牌,因为它们是在安全的环境下保存的。
It is safe to use AsyncStorage to save user tokens, since they are saved under a secure context.
请注意,这仅适用于没有 root 的Android设备和iOS设备没有越狱。另请注意,如果攻击者对设备物理访问且设备未受保护。他可以将设备连接到mac笔记本电脑并提取文档目录,并查看保存在文档目录下的所有内容。
Please note that this is only true for Android devices without root and for iOS devices without jailbreak. Please also note that if the attacker has physical access to the device and the device is not protected. He can connect the device to the mac laptop and extract the documents directory and see all the contents saved under the documents directory.
这篇关于在React Native中保存敏感数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
