react-native-async-storage/async-storage

Inquiry Regarding File Handling & SQL Usage in React Native AsyncStorage

Closed this issue · 2 comments

praveen-18m commented

What happened?

Hello React Native Community Team,

We are currently performing a security assessment of our mobile application, which integrates React Native AsyncStorage.
During a recent static security scan, two potential issues were flagged related to file and database handling:

Identified Issues

1. Unsafe Files Deletion
The scanner flagged a possible risk where storage files managed by AsyncStorage (backed by SQLite or file storage) might not be securely deleted, potentially leaving residual data artifacts on the device.

2. Raw SQL Queries Used (SQLite)
The scan detected instances where raw SQL queries may be used within AsyncStorage’s underlying SQLite implementation. This can potentially expose risks like SQL injection or improper input handling, especially if user-controlled data is involved.

Our questions for you:

  1. Does AsyncStorage implement secure deletion practices (e.g., overwriting data before deletion, securely clearing SQLite tables/files)?
  2. Can you confirm whether AsyncStorage’s SQLite usage safely handles raw SQL queries (e.g., parameterized queries, input sanitization)?
  3. Do you have documentation or security guidelines clarifying how AsyncStorage manages file deletion, SQLite usage, and data security best practices?

Your clarification will assist us in documenting secure usage practices and ensuring alignment with security standards such as OWASP MASVS.

We are happy to share relevant excerpts from the scan report if required.

Thank you in advance for your assistance.

Version

2.1.0

What platforms are you seeing this issue on?

  • Android
  • iOS
  • macOS
  • Windows
  • web

System Information

react native - 0.76

Steps to Reproduce

Security vulnerable issue.

mensonones commented

Async Storage is asynchronous, unencrypted, persistent, key-value storage solution for your React Native application.

Check this discussion: #726

praveen-18m commented

Thank you for your response, @mensonones. I now have a clear understanding, so I’ll go ahead and close this issue.