Critical Vulnerability in react-native-keys Exposes API Keys

[ch3tanbug]

Description:
A critical security vulnerability has been identified in the react-native-keys library (v1.x), which claims to securely store API keys by encrypting and embedding them in native code. However, due to weak cryptographic practices, an attacker can easily extract and decrypt API keys.

🔴 Impact
Attackers can extract and decrypt API keys stored via react-native-keys.
API keys used for Firebase, AWS, Stripe, and other services can be compromised, leading to unauthorized access, financial fraud, and data breaches.
The security model of the library is ineffective, providing a false sense of protection.

Please contact me for full technical details - chetanbug@duck.com

[github-actions]

👋 @ch3tanbug
Thanks for opening your issue here! If you find this package useful hit the star🌟!

[aminhdev]

.

[RayKay91]

has this issue been fixed?

[dougg0k]

Just found the library, last commit was 5 months ago. Anything on this? @numandev1

There seem to be other important issues open without real response, just github bot response or some other user also needing help.

[dougg0k]

Seems to be this one #104

[ashishzopeCG]

@dougg0k is your changes fixing all reported vulnerabilities in this package?

[efstathiosntonas]

@ashishzopeCG no, there’s NO way to be secure on the client. Decrypting keys are still in the source code and someone can find them. Never trust the client.

There are techniques to be secure on the client but they are very complex.

[ashishzopeCG]

@efstathiosntonas any alternative approach for this

[efstathiosntonas]

you can read this blog article from Oscar: https://ospfranco.com/react-native-security-guide/

[dougg0k]

@ashishzopeCG you should read what I wrote in the PR.

It is as @efstathiosntonas said, this package like any other are just to make it more difficult.

A few weeks ago I wrote a compilation of things that one can do to help with security when building apps, many of that can help make it more difficult to do certain things, so they can complement each other. But these are still just open source solutions, in some contexts the most complete ones would be paid solutions.

https://gist.github.com/dougg0k/60e02f2fd99df129a7e329c92309fd5e

[ngocle2497]

@dougg0k this should be fixed on PR