>_SkillsHub

> react-native-security

Secure storage, deep linking security, and certificate pinning for mobile. Use when implementing secure storage, certificate pinning, or deep link validation in React Native. (triggers: **/*.tsx, **/*.ts, security, keychain, secure-storage, deep-link, certificate-pinning)

fetch
$curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/react-native-security?format=md"
SKILL.mdreact-native-security

React Native Security

Priority: P0 (CRITICAL)

Secure Storage

  • Keychain/Keystore: Use react-native-keychain for tokens, passwords.
  • Never AsyncStorage: Not encrypted. Only for non-sensitive data.
  • Biometric Auth: Use react-native-biometrics for Face ID/Touch ID.

Deep Linking

  • Validate URLs: Check scheme and host before navigation.
  • Sanitize Params: Never trust URL params. Validate and sanitize.
  • Token Extraction: Avoid passing tokens in deep link URLs. Use secure code exchange.

Network Security

  • HTTPS Only: Enforce via NSAppTransportSecurity (iOS) and network_security_config.xml (Android).
  • Certificate Pinning: Use react-native-ssl-pinning for high-security apps (banking, healthcare). Warning: Requires app update when certificates rotate.
  • No Secrets in Code: Use .env files with react-native-config. Add to .gitignore.

Code Obfuscation

  • Hermes: Bytecode harder to reverse-engineer.
  • ProGuard/R8: Enable on Android.
  • Note: Obfuscation is a deterrent, not protection. Move sensitive logic to backend.

Data Handling

  • PII Masking: Mask email/phone in logs and analytics.
  • Clipboard: Clear sensitive data after paste.
  • Screenshots: Block on sensitive screens with react-native-screen-guard.

Anti-Patterns

  • No Hardcoded Secrets: Use environment variables.
  • No Sensitive Logs: Strip console.log in production.
  • No Plain HTTP: Always use HTTPS.
  • No Client-Side Auth: Validate on backend.

Reference & Examples

See references/keychain-usage.md for Keychain, Biometrics, SSL Pinning, and PII Masking.

Related Topics

common/security-standards | typescript/security

> related_skills --same-repo

> typescript-tooling

Development tools, linting, and build config for TypeScript. Use when configuring ESLint, Prettier, Jest, Vitest, tsconfig, or any TS build tooling. (triggers: tsconfig.json, .eslintrc.*, jest.config.*, package.json, eslint, prettier, jest, vitest, build, compile, lint)

> typescript-security

Secure coding practices for TypeScript. Use when validating input, handling auth tokens, sanitizing data, or managing secrets and sensitive configuration. (triggers: **/*.ts, **/*.tsx, validate, sanitize, xss, injection, auth, password, secret, token)

> typescript-language

Modern TypeScript standards for type safety and maintainability. Use when working with types, interfaces, generics, enums, unions, or tsconfig settings. (triggers: **/*.ts, **/*.tsx, tsconfig.json, type, interface, generic, enum, union, intersection, readonly, const, namespace)

> typescript-best-practices

Idiomatic TypeScript patterns for clean, maintainable code. Use when writing or refactoring TypeScript classes, functions, modules, or async logic. (triggers: **/*.ts, **/*.tsx, class, function, module, import, export, async, promise)

┌ stats

installs/wk0
░░░░░░░░░░
github stars341
██████████
first seenMar 17, 2026
└────────────

┌ repo

HoangNguyen0403/agent-skills-standard
by HoangNguyen0403
└────────────

┌ tags

#crypto#mobile#rag#react#security#unit-testing
└────────────