Secrets management in mobile app (react-native)

[giorgionocera]

Hi there!
The title has already spoilered enough... 😅
We want to use this discussion to work out which is the best approach to managing secrets in react native mobile apps.
More specifically, we want to figure out which is the best practice to store secrets the biggest secrets in the Cosmos ecosystem, aka mnemonics 👀.

For this reason, as a result, we want this discussion to provide a sort of "standard" in mnemonic storing for react-native multi-platform applications surfing the web3 🏄 .
So, feel free to contribute, let's start thinking 🤔 and, obviously, proposing!

[giorgionocera]

As also provided on the react-native documentation, to store sensitive data on react-native applications, we can use the pre-existing solutions available for Android and iOS platforms:

• Keychain Services for the iOS apps;
• Android Keystore system to store cryptographic keys which encrypts the data stored on Android Secure Shared Preferences for Android apps.

[giorgionocera]

Starting from v6, the react-native-sensitive-info library provides the listed features.

Moreover, the library allows to add of an extra layer of security by requesting:

• user's fingerprint or faceID (for iOS apps)
• user's fingerprint (for Android apps)

to unlock the encrypted data.

[DavideSegullo]

I have proposed this library, but there appears to be an important security bug mCodex/react-native-sensitive-info#363

[giorgionocera]

I have proposed this library, but there appears to be an important security bug mCodex/react-native-sensitive-info#363

Yeah, I saw it... We need to follow that issue to see the responses.

[giorgionocera]

Still pending without any response after 12 days. Not a good sign...

[giorgionocera]

The react-native-keychain library provides the listed features too.

This library also allows unlocking the encrypted data through:

• user's fingerprint or faceID (for iOS apps)
• user's fingerprint (for Android apps)

[giorgionocera]

It is used by:

• Rainbow Ethereum wallet
• Keplr Cosmos wallet
• MetaMask wallet

[giorgionocera]

Moreover, through the cosmjs library, it is possible to store an encrypted serialization of a wallet.
Maybe we could perform some benchmarks between storing:

• a cosmjs wallet object;
• a mnemonic seed phrase.

There should be a trade-off in terms of space and computation.
In particular, let us analyze which of the solutions could be the best one:

• to store a mnemonic seed phrase inside the "secure storage" provided by libraries like react-native-keychain;
• to store cosmjs encrypted and serialized wallet object inside the non-secure storage;
• to store cosmjs encrypted and serialized wallet objects inside the "secure storage" provided by libraries like react-native-keychain.

Obviously, any contribution is welcome! 🦸

[DavideSegullo]

Below is a benchmark with the execution times of cosmjs functions:

	Speed
Generate Wallet	6.4ms
Generate Wallet From Mnemonic	13.2ms
Deserialization	416ms
Serialization	415ms

I'll be adding more tests on secure storage read and write operations shortly.

[DavideSegullo]

	Speed
Keychain.setGenericPassword	55.8ms
pbkdf2 (generate key)	68ms
encryptData (randomKey + encrypt)	8.8ms
decrypt	1ms
hmac256	0.8ms