I am building a React Native application and I need to save some sensitive data like a token and a refresh token. The obvious solution is to save that information using AsyncStorage. The problem is the security level of the AsyncStorage.
AsyncStorage provides a way to locally store tokens and data. It can
be, in some ways, compared to a LocalStorage option. In full
production applications, it is recommended to not access AsyncStorage
directly, but instead, to use an abstraction layer, as AsyncStorage is
shared with other apps using the same browser, and thus an
ill-conceieved removal of all items from storage could impair the
functioning of neighboring apps.
On iOS, AsyncStorage is backed by native code that stores small values
in a serialized dictionary and larger values in separate files. On
Android, AsyncStorage will use either RocksDB or SQLite based on what
Just digging into the React Native code, I found the answer.
AsyncStoragemodule implementation is based on
The package where all the data classes are handled: https://github.com/facebook/react-native/tree/master/ReactAndroid/src/main/java/com/facebook/react/modules/storage
The class with the instructions to create the database: https://github.com/facebook/react-native/blob/master/ReactAndroid/src/main/java/com/facebook/react/modules/storage/ReactDatabaseSupplier.java
By the Android documentation, the databases created by the application are saved in private disk space that's associated application, so it is secure.
Just like files that you save on the device's internal storage, Android stores your database in private disk space that's associated application. Your data is secure, because by default this area is not accessible to other applications.
In iOS the
AsyncStorage values are saved in serialized dictionary files. Those files are saved in the application
NSDocumentDirectory. In iOS all applications live in their own sandbox, so all files of one application are secured, they cannot be accessed by the other applications.
The code in iOS that handles the
AsyncStorage module can be found here: https://github.com/facebook/react-native/blob/master/React/Modules/RCTAsyncLocalStorage.m
And as we can see here the files used to store the values saved by the
AsyncStorage are saved under the
NSDocumentDirectory (inside the application sandbox environment).
Every App Is an Island An iOS app’s interactions with the file system are limited mostly to the directories inside the app’s sandbox. During installation of a new app, the installer creates a number of containers for the app. Each container has a specific role. The bundle container holds the app’s bundle, whereas the data container holds data for both the application and the user. The data container is further divided into a number of directories that the app can use to sort and organize its data. The app may also request access to additional containers—for example, the iCloud container—at runtime.
It is safe to use
AsyncStorage to save user tokens, since they are saved under a secure context.