问题描述

我正在构建一个React Native应用程序，我需要保存一些敏感数据，如令牌和刷新令牌。显而易见的解决方案是使用保存该信息。问题是AsyncStorage的安全级别。

I am building a React Native application and I need to save some sensitive data like a token and a refresh token. The obvious solution is to save that information using AsyncStorage. The problem is the security level of the AsyncStorage.

在原生应用中，我会选择 Keychain iOS 和共享偏好设置 私密模式 Android 。

In a native app, I would go for Keychain in iOS and Shared Preferences in private mode in Android.

我在React Native提供的文档中读到的内容：

For what I read in the documentation provided by React Native:

The React Native AsyncStoragemodule implementation is based on SQLiteOpenHelper.The package where all the data classes are handled: https://github.com/facebook/react-native/tree/master/ReactAndroid/src/main/java/com/facebook/react/modules/storage

包含创建数据库说明的类：

The class with the instructions to create the database: https://github.com/facebook/react-native/blob/master/ReactAndroid/src/main/java/com/facebook/react/modules/storage/ReactDatabaseSupplier.java

通过Android文档，应用程序创建的数据库保存在专用磁盘中与关联应用程序相关的空间，因此它是安全的。

By the Android documentation, the databases created by the application are saved in private disk space that's associated application, so it is secure.

iOS

在iOS中， AsyncStorage 值保存在序列化字典文件中。这些文件保存在应用程序 NSDocumentDirectory 中。在iOS中，所有应用程序都位于他们自己的沙箱中，因此一个应用程序的所有文件都是安全的，其他应用程序无法访问它们。

In iOS the AsyncStorage values are saved in serialized dictionary files. Those files are saved in the application NSDocumentDirectory. In iOS all applications live in their own sandbox, so all files of one application are secured, they cannot be accessed by the other applications.

iOS中处理 AsyncStorage 模块的代码可以在这里找到：

The code in iOS that handles the AsyncStorage module can be found here: https://github.com/facebook/react-native/blob/master/React/Modules/RCTAsyncLocalStorage.m

我们可以看到用于存储 AsyncStorage 保存的值的文件保存在 NSDocumentDirectory 下（在应用程序沙箱环境中）。

And as we can see here the files used to store the values saved by the AsyncStorage are saved under the NSDocumentDirectory (inside the application sandbox environment).

结论

使用 AsyncStorage 进行保存是安全的用户令牌，因为它们是在安全的环境下保存的。

It is safe to use AsyncStorage to save user tokens, since they are saved under a secure context.

请注意，这仅适用于没有 root 的Android设备和iOS设备没有越狱。另请注意，如果攻击者对设备物理访问且设备未受保护。他可以将设备连接到mac笔记本电脑并目录，并查看保存在文档目录下的所有内容。

Please note that this is only true for Android devices without root and for iOS devices without jailbreak. Please also note that if the attacker has physical access to the device and the device is not protected. He can connect the device to the mac laptop and extract the documents directory and see all the contents saved under the documents directory.

这篇关于在React Native中保存敏感数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！