How to choose React Native libraries for secure mobile application development - Security Boulevard

Learn however to take React Native libraries that abide by exertion information principles successful bid to physique unafraid mobile applications.

By: Vineeta Sangaraju, elder probe engineer, and Ksenia Peguero, elder probe manager, astatine Synopsys.

React Native, created by Meta, is an unfastened root model utilized to physique cross-platform applications without losing autochthonal capabilities. The JavaScript quality of React Native made this hybrid attack of mobile exertion improvement precise popular. What does this mean successful presumption of exertion security, particularly for mobile applications, arsenic they travel with their ain acceptable of information loopholes and onslaught vectors? Does the improvement of mobile applications successful conjunction with thing arsenic transparent arsenic JavaScript airs caller challenges oregon exacerbate existing ones?

When we take a library, we usually deliberation astir its functionality: “Does it bash the close job?” and performance, “Will it dilatory my exertion down?” But we should besides deliberation astir security; “Will it marque my exertion vulnerable?”

Application information and React Native

Typically, applications are built with principles of information successful mind, including

• Least privilege
• Defense-in-depth
• Open plan oregon information by obscurity
• Minimizing onslaught surface
• Client trust

The implementation of these principles successful a mobile exertion varies somewhat owed to the menace exemplary being antithetic from those of web applications, but it varies much for applications built with React Native. Let’s analyse React Native’s interaction connected the wide information of the exertion for each of these principles.

Least privilege

This rule specifies that an exertion should lone person permissions that are essential. A emblematic mobile exertion is comprised of respective components, specified arsenic services and receivers successful the lawsuit of the Android environment. These components request to interact with assorted instrumentality processes for the exertion to function. For example, a euphony streaming exertion whitethorn person a work constituent that allows it to prevention euphony to the section record system. However, if the exertion has components that petition entree to the instrumentality determination oregon camera, that mightiness bespeak a usurpation of slightest privilege.

Typically, with autochthonal applications, permissions are acceptable successful configuration files earlier building. React Native libraries, connected the different hand, let applications to work and acceptable exertion permissions astatine runtime. They bash not needfully present immoderate caller risks. However, arsenic with autochthonal code, the React Native codification indispensable not petition overly privileged permissions.

Defense-in-depth

This rule refers to security champion practices that assistance an exertion support against chaining of vulnerabilities. Like web applications, mobile applications tin beryllium safeguarded against communal risks specified arsenic information theft and codification manipulation. Examples of antiaircraft controls see restricting the exertion to non-jailbroken devices and to devices that are connected the latest OS version, avoiding insecure oregon deprecated APIs, oregon not allowing debuggers to beryllium attached to the exertion process.

Lately, much applications are implementing these antiaircraft controls successful React Native codification and not successful autochthonal code. It is important to recognize however these controls work. Consider the signifier of restricting the exertion to non-jailbroken devices. When selecting a jailbreak detection library, analyse the implementation successful the APIs used. Does the implementation beryllium connected a Boolean instrumentality type? If so, it is considered event-based and is casual to bypass, particularly erstwhile determination is simply a deficiency of different complementary defenses.

In general, erstwhile choosing a React Native room to support against emblematic mobile risks, workout caution with implementations and deprecated methods. Further, guarantee that default values oregon different configuration options that impact the application’s information bash not present vulnerabilities.

Open plan oregon information by obscurity

This rule relies connected the secrecy of the interior workings of an application. With accepted web applications, a fewer implementations reside connected the lawsuit side, hence, it is easier for the attacker to recognize the logic and exploit it. Client-side codification is easy reachable by attackers. Determining what should and shouldn’t beryllium revealed successful the client-side codification is rather straightforward, astatine slightest with web applications. Find a balance—incorporate an unfastened design, uncover lone immoderate is requisite connected the lawsuit side, and bash the dense lifting securely connected the server side.

But mobile applications bash the dense lifting connected the lawsuit broadside (the mobile device), particularly if utilizing a hybrid model specified arsenic React Native. So should this proposal of an unfastened plan rule beryllium taken with a atom of salt?

Yes. Mobile applications thin to determination logic and information retention to the lawsuit side, truthful obscurity is much important present than successful web applications. Though attackers volition yet get to immoderate is obscured with capable clip and resources, definite controls, specified arsenic the ones discussed successful the erstwhile section, volition hold them.

Typically, a mobile application’s binary and information beryllium connected the device, truthful obfuscating codification successful the exertion binary would marque it harder for attackers to recognize however the exertion works, thwarting targeted attacks. But mitigations should inactive beryllium employed connected the server side. It should besides beryllium noted that sole reliance connected obfuscation is considered atrocious practice.

In emblematic React Native applications, successful summation to autochthonal codification and data, the JavaScript codification besides resides connected the lawsuit side. Unfortunately, the methods that obfuscate autochthonal codification don’t ever enactment for JavaScript code, truthful take wisely erstwhile selecting a React Native room for obfuscation. Ensure that the full directory of React Native codification is selected for obfuscation. Also, revisit the exertion plan to prioritize what truly needs to beryllium done connected the lawsuit side. Can the exertion spend to determination a risky portion of logic oregon information to the server broadside without losing velocity and efficiency? With respect to data, React Native libraries that assistance negociate situation variables and constants specified arsenic APIs and server keys exist. However, it’s important to enactment whether they encrypt the information being stored oregon spot entree controls connected the determination of the data.

Minimize onslaught surface

This rule recommends limiting the fig of introduction points into an application. With accepted web applications, the onslaught aboveground includes input fields and URL parameters. With mobile applications, the onslaught aboveground includes some idiosyncratic inputs and the sandbox that the exertion resides in. A sandbox is simply a containerized determination connected the instrumentality wrong which the exertion operates. The exertion process tin lone entree the information contiguous successful that sandbox. The operating strategy minimizes the onslaught aboveground to an grade via sandboxing, but this does not code each information concerns. If determination were a anemic onslaught surface, information could inactive beryllium leaked (weak confidentiality) oregon information and codification could beryllium manipulated (weak integrity).

For example, applications request to store idiosyncratic information connected the instrumentality to marque them accelerated and responsive. But what if the instrumentality is compromised? Should applications judge the minimal but existent hazard of leaking a user’s idiosyncratic accusation oregon credentials? What if the idiosyncratic was an head with higher privileges? It is important to not lone beryllium conscious astir wherever connected the instrumentality this accusation is stored but besides what benignant of entree controls are successful spot to support against leaks. Mobile applications besides let heavy linking, successful which the exertion oregon a circumstantial functionality wrong it is invoked from extracurricular its sandbox. If it’s not configured securely, the exertion functionalities and information tin beryllium astatine risk.

Just similar axenic autochthonal applications, React Native applications are constricted to the sandbox, keeping outer and perchance malicious exertion processes astatine bay. Though it looks similar imaginable introduction points to the exertion are fewer and the onslaught aboveground is small, the exertion tin inactive beryllium astatine hazard from man-in-the-middle attacks, instrumentality theft, and injection. Libraires that assistance support information astatine remainder and successful modulation assistance mitigate the archetypal two. As for information nonaccomplishment oregon codification manipulation done injection, see cross-site scripting. React Native applications bash not person a papers entity module (DOM), truthful JavaScript attacks bash not use due to the fact that determination is nary discourse successful which JavaScript tin execute. Other injection attacks specified arsenic SQL injection, way injection, and bid injection are imaginable risks, but their interaction to the idiosyncratic instrumentality oregon the full exertion depends connected the quality and the implementation of the functionalities. Minimizing the onslaught aboveground for React Native applications indispensable beryllium done successful 2 ways.

• Data. Several React Native libraries let applications to store information connected the instrumentality successful antithetic locations—the database, spot list, shared preferences, logs, etc. Pick a room that supports encryption and saves the information successful a unafraid location. When performing encryption oregon hashing, applicable information specified arsenic encryption keys request to beryllium saved successful a harmless location. Generally, redeeming delicate information to the keychain with due ACL controls is considered much secure. Determine whether the room accounts for specified configurations. Also, wage other attraction to default settings for these libraries.
• Code. Though React Native does not person a DOM, determination are inactive imaginable introduction points to the exertion via heavy linking exertion schemes, Android’s exported components, and WebView inputs among others. Minimize the onslaught aboveground by embracing the “Keep it simple, stupid” plan principle—limit functionalities that tin beryllium invoked via heavy linking and bounds to indispensable exported components. And arsenic always, it is simply a bully signifier to bounds the fig of inputs, and additionally, to sanitize them.

Client trust

This rule states that applications should selectively spot the situation they are moving in. JavaScript applications, web oregon mobile, are fundamentally an amalgamation of outer libraries, astir of which are unfastened source. Even successful the disconnected accidental that each of them are wholly secure, mobile exertion developers request to play by the rules of the mobile menace exemplary and guarantee that the libraries and their APIs are implemented appropriately. Third-party libraries should beryllium utilized lone aft thorough mobile hazard analysis.

Furthermore, the lawsuit connected which the mobile exertion is installed and the server it is communicating with request a means done which they tin spot each other. Most applications execute this via certificate validation and certificate pinning, wherever trusted certificates are installed connected the client. Also, the mobile operating strategy provides applications with a mechanics to predefine rules for unafraid web communication, specified arsenic Application Transport Security controls successful the lawsuit of iOS. For example, the configuration “NSExceptionAllowsInsecureHTTPLoads,” which allows insecure connection implicit HTTP, should beryllium constricted to trusted domains.

When it comes to exertion data, applications should travel a zero spot attack with not lone clients but the users arsenic well. Users could marque insecure decisions erstwhile dealing with delicate data. For example, users whitethorn instal and usage third-party keyboards that could execute keylogging. Thus, by placing definite checks successful the code, the exertion tin unafraid idiosyncratic information from leaks. For example, the exertion tin lone let the strategy keyboard for delicate input fields specified arsenic passwords oregon not let delicate accusation from being copied by the idiosyncratic to the instrumentality clipboard.

React Native’s main selling constituent is “Learn once, constitute everywhere,” truthful much autochthonal functionalities are being made disposable done JavaScript. Thus, React Native applications, often constituent based, trust connected outer libraries. Even connection with the server tin beryllium initiated done JavaScript codification by utilizing specified libraries. Today, it is imaginable to instrumentality important hazard mitigating controls relating to the lawsuit spot rule specified arsenic certificate pinning and biometric authentication via React Native libraries.

As mentioned successful the “Defense-in-depth” section, these libraries should beryllium chosen aft cautious investigation of the implementation and imaginable default configurations. Some examples see ensuring that

• The certificate pinning library’s API for verifying the installed lawsuit certificates is not event-based
• Clipboard room APIs are not successful usage for delicate information fields specified arsenic passwords
• Communication with the server utilizing JavaScript methods specified arsenic “fetch ()” does not hap implicit HTTP
• Biometric authentication libraries supply configurable options and bash not default to the instrumentality passcode aft aggregate failed attempts

In short, spot other attraction to instrumentality settings and configurations. Ensure the room APIs are failsafe. Trusting 3rd enactment libraries, certificates, oregon bundle with strategy wide entree (keyboards, clipboards) is inherently risky. Communication should beryllium constricted to trusted servers and protocols (HTTPS).

API information configurations with Code Sight

When gathering mobile applications with React Native libraries, galore functionalities are often implemented with outer libraries. Thus, it is imperative to take them wisely to guarantee they bash not marque mobile exploits easier for attackers. Best practices see verifying that they are the latest version, implemented securely, let configurable options arsenic their autochthonal peer, and bash not utilize insecure defaults.

With Rapid Scan Static 2022.12.1, React Native libraries tin beryllium vetted against these principles arsenic relevantAPI information and configuration checks are instilled into the engine. The publically disposable IDE plugin Code Sight™ for VS Code and IntelliJ tin beryllium utilized to research these caller capabilities. Customers of Synopsys Coverity® and Black Duck® products volition person these capabilities successful their adjacent large releases.