-
Notifications
You must be signed in to change notification settings - Fork 0
Security Issues
Sensitive information that will be stored by our software will be:
- User's name
- User's password(s)
- User's email(s)
- User's message history
This data will be protected by Firebase's encryption of data in transit using HTTPS and logically isolating customer data within app. We will make sure that all of our Firebase documents are properly protected by the necessary security rules, and that the app itself enforces strong coding practices that won't leak user info, such as making certain private variables inaccessible to other parts of the app, and using any sort of encryption when necessary.
It is possible that our app could be compromised by an improperly configured Cloud Firestore Database, and that is why it is important that we make sure to set the proper rules, so that only authenticated users can modify their data, and that only certain variables are readable from other users.
| Attack | Mitigation |
|---|---|
| Man in the Middle | Not possible, because we are using Firebase with encrypted end to end communications |
| Malware stealing user info | Any user info will be stored on the Firebase server, and inaccessible from other parts of the app. Android's built in virus protection will also provide added security |
| Unauthorized access to user data | Data is only accessible to authenticated users. Strong server side rules are in place to ensure only validated users can access data. |
| Messages not private to app owner | All sensitive data is encrypted and handled by the Firebase API. It is not possible for even the server owner to see user's messages. |
Additionally, developing a React Native app requires developers to understand both native iOS and Android security features, since React Native relies on these features to provide security for the user. Since iOS and Android both have extensive and reliable security features, implementing security in a React Native app mostly comes down to appropriate use of these features by developers.
iOS uses KeyChain Services to store data such as certificates, tokens, passwords, and any other sensitive information that needs to be synchronous and encrypted. Android's Secure Shared Preferences provides persistent key-value data store and Android's Keystore system provides a container that cryptographic keys can be stored in.
These services can be implemented using a library such as react-native-encrpyted-storage, but extra care must be taken when handling sensitive info. If not handled correctly, info can easily be saved or sent to unintended parts of the program, leading to info leaks.
Another approach is using a community-maintained module for React Native such as Async Storage, which provides asynchronous, persistent, key-value storage for Android and iOS platforms.