react-native-app-security 🔐

Easily implement usual security measures in React Native Expo apps

• SSL public key pinning
• Certificate transparency
• Prevent "recent screenshots"
• Safe Keyboard Detector

⚠️ Disclaimer
This package is intended to help implement a few basic security features but does not in itself guarantee that an app is secure.
Refer to OWASP's resources for more information on mobile app security.
You can also contact us if you need help with securing your app.

Installation and setup

This package is designed for use in expo apps with development builds.

yarn add @bam.tech/react-native-app-security

Add the config plugin to app.config.ts / app.config.js / app.json:

{
  "plugins": [
    [
      "@bam.tech/react-native-app-security",
      {
        "sslPinning": {
          "yahoo.com": [
            "TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=",
            "rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE="
          ]
        },
        "preventRecentScreenshots": {
          "ios": { "enabled": true },
          "android": { "enabled": true }
        }
      }
    ]
  ]
}

Anytime you change the config, don't forget to run:

yarn expo prebuild

Features

SSL Pinning

🥷 What's the threat? Attackers intercepting your app's network requests and accessing private data or sending malicious responses. More details

This package implements public key pinning using TrustKit on iOS and the certificate pinner included in OkHttp on Android.

Configuration

[
  "@bam.tech/react-native-app-security",
  {
    "sslPinning": {
      // The hostname you want to pin, without `https://`
      "yahoo.com": [
        // The public key hashes for the pinned certificates, without a `sha256/` prefix
        "TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=",
        "rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE="
      ]
    }
  }
]

Please note that you'll need to provide 2 public key hashes. This is to encourage having proper procedures in place to avoid locking users out, as described here in the TrustKit docs.

Pinning subdomains

To pin a specific subdomain, simply include it in the string you provide, eg:

    "sslPinning": {
      "subdomain.domain.com": [/* ... */]
    }

To pin a domain and all its subdomains, use a wildcard:

    "sslPinning": {
      // domain.com and all its subdomains will be pinned
      "*.domain.com": [/* ... */]
    }

The wildcard can only be used for the full lefmost part of the hostname.

These are invalid: *domain.com, domain.*.com, sub.*.domain.com

Generating the public key hashes

You'll need the certificates (.cer or .crt)

openssl x509 -in certificate.cer -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

Testing

To test that SSL pinning is working as expected, you can:

• break (change) a certificate and check that the connection fails (don't forget to yarn expo prebuild then yarn ios or yarn android to rebuild the app)
• set up a proxy (we love Proxyman) and check that the connection fails

Certificate transparency

🥷 What's the threat? Compromised certificate authorities. More details

• On iOS, certificate transparency is enabled by default since iOS 12.1.1
• On Android, this package enables it using appmatus/certificatetransparency for Android >= 8.0

Configuration

None, enabled by default.

Prevent "recent screenshots"

🥷 What's the threat? When the OS terminates the app, it may take a screenshot and store it on the device to display in the app switcher. This screenshot could leak sensitive data

Mitigating this threat is achieved by:

• Using FLAG_SECURE on Android < 13
• Using Activity.setRecentScreenshotsEnabled on Android >= 13
• Covering the app with the splashscreen on iOS (requires expo-splash-screen to be setup)

Configuration

[
  "@bam.tech/react-native-app-security",
  {
    "preventRecentScreenshots": {
      "ios": { "enabled": true },
      "android": { "enabled": true }
    }
  }
]

Safe Keyboard Detector

🥷 What's the threat? A third-party keyboard might embed a malicious keylogger to record passwords and sensitive data. More details

Mitigating this threat is achieved by:

• On Android, comparing the current keyboard id with a list of keyboard packages that we deem safe.
• On iOS, doing nothing specific since iOS already prevent the use of third-party keyboard on sensitive fields such as passwords.

import { SafeKeyboardDetector } from "@bam.tech/react-native-app-security";

const { isInDefaultSafeList, inputMethodId } = getCurrentInputMethodInfo(); // Will always return {isInDefaultSafeList: true, inputMethodId: "iosKeyboard"} on iOS
if (!isInDefaultSafeList) {
  console.warn(`Your current keyboard (${inputMethodId}) is not safe`);
}

// Prompt the user to change the current keyboard
SafeKeyboardDetector.showInputMethodPicker(); // can only be called on Android

Contributing

Contributions are welcome. See the Expo modules docs for information on how to build/run/develop on the project.

When making a change to the plugin folder, you'll need to run yarn prepare before prebuilding and building the example app.

👉 About BAM

We are a 100 people company developing and designing multi-platform applications with React Native using the Lean & Agile methodology. To get more information on the solutions that would suit your needs, feel free to get in touch by email or through our contact form!

We will always answer you with pleasure 😁