React Native1. Lưu sensitive data (token, password, biometric):
- iOS: Keychain — mã hóa hardware-backed, persistent qua app reinstall (option), bio-protected.
- Android: Keystore + EncryptedSharedPreferences.
- Lib: react-native-keychain hoặc expo-secure-store (cross-platform wrapper).
import * as SecureStore from 'expo-secure-store'
await SecureStore.setItemAsync('authToken', token, {
keychainAccessible: SecureStore.WHEN_UNLOCKED, // chỉ đọc khi device unlocked
})Đừng lưu token trong AsyncStorage hay MMKV không encryption — plain text trong file system, jailbreak/root device đọc được.
2. Certificate pinning: kiểm tra public key của server cert match expected → chống MitM (Man-in-the-Middle), proxy như Charles không inspect được traffic.
- Lib: react-native-ssl-pinning hoặc react-native-cert-pinner.
- Cấu hình:
import { fetch } from 'react-native-ssl-pinning'
fetch('https://api.example.com/me', {
method: 'GET',
sslPinning: { certs: ['cert1'] }, // file cert.cer trong assets
})- Lưu ý: cert rotate → app cần update để pin cert mới, không OTA được. Pin public key thay cert (longer-lived) hoặc multi-pin với fallback.
3. Code obfuscation:
- Hermes bytecode đã hard hơn JS plain để reverse, nhưng vẫn decompile được.
- Tool: react-native-obfuscating-transformer (rename variable, dead code).
- Native code: ProGuard/R8 (Android), Strip Linked Product (iOS).
4. Jailbreak/Root detection:
- Lib: react-native-jail-monkey hoặc react-native-device-info.
- Check isJailBroken/isRooted → block app launch hoặc downgrade feature (vd disable banking transaction).
- Lưu ý: chỉ là deterrent, không tuyệt đối — sophisticated attacker có thể bypass.
5. App Transport Security (ATS) iOS:
- Default require HTTPS với TLS 1.2+. Không tắt cho production.
- Info.plist NSAllowsArbitraryLoads chỉ cho dev nếu cần.
6. Biometric auth:
- Lib: react-native-keychain có setGenericPassword(..., { accessible: BIOMETRY_CURRENT_SET }).
- iOS Face ID/Touch ID, Android Fingerprint/Face/Iris đều support.
- Workflow: user login lần đầu → save token + biometric flag → lần sau prompt biometric → release token từ Keychain.
1. Storing sensitive data (token, password, biometric):
- iOS: Keychain — hardware-backed encryption, optional persistence across reinstalls, bio-protected.
- Android: Keystore + EncryptedSharedPreferences.
- Library: react-native-keychain or expo-secure-store (cross-platform wrapper).
import * as SecureStore from 'expo-secure-store'
await SecureStore.setItemAsync('authToken', token, {
keychainAccessible: SecureStore.WHEN_UNLOCKED, // only read when unlocked
})Do not store tokens in AsyncStorage or unencrypted MMKV — plaintext on the filesystem; jailbreak/root devices can read it.
2. Certificate pinning: verify the server cert's public key matches an expected value → defends against MitM (Man-in-the-Middle), so proxies like Charles cannot inspect traffic.
- Libraries: react-native-ssl-pinning or react-native-cert-pinner.
- Config:
import { fetch } from 'react-native-ssl-pinning'
fetch('https://api.example.com/me', {
method: 'GET',
sslPinning: { certs: ['cert1'] }, // cert.cer in assets
})- Pitfall: cert rotation → the app must update to pin the new cert (no OTA). Pin the public key instead of the cert (longer-lived) or use multi-pin with fallback.
3. Code obfuscation:
- Hermes bytecode is harder to reverse than plaintext JS but is still decompilable.
- Tool: react-native-obfuscating-transformer (variable renaming, dead code).
- Native code: ProGuard/R8 (Android), Strip Linked Product (iOS).
4. Jailbreak/root detection:
- Libraries: react-native-jail-monkey or react-native-device-info.
- Check isJailBroken/isRooted → block app launch or downgrade features (e.g. disable banking transactions).
- Note: a deterrent only, not absolute — sophisticated attackers can bypass it.
5. App Transport Security (ATS) on iOS:
- Default requires HTTPS with TLS 1.2+. Do not disable in production.
- Info.plist NSAllowsArbitraryLoads only for dev if absolutely needed.
6. Biometric auth:
- Library: react-native-keychain with setGenericPassword(..., { accessible: BIOMETRY_CURRENT_SET }).
- iOS Face ID/Touch ID, Android Fingerprint/Face/Iris all supported.
- Workflow: user logs in once → save token + biometric flag → next session prompt biometric → release token from Keychain.