> react-native-security
Secure storage, network traffic, and deep links in React Native mobile apps. Use when implementing secure storage, certificate pinning, or deep link validation in React Native. (triggers: **/*.tsx, **/*.ts, security, keychain, secure-storage, deep-link, certificate-pinning)
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/react-native-security?format=md"React Native Security
Priority: P0 (CRITICAL)
Store Credentials Securely
- Keychain/Keystore: Use
react-native-keychainfor tokens, passwords. - Never AsyncStorage: Not encrypted. Only for non-sensitive data.
- Biometric Auth: Use
react-native-biometricsfor Face ID/Touch ID.
See keychain usage reference for Keychain storage with biometric access control.
Validate Deep Links
- Validate URLs: Check scheme and host before navigation.
- Sanitize Params: Never trust URL params. Validate and sanitize.
- Token Extraction: Avoid passing tokens in deep link URLs. Use secure code exchange.
See keychain usage reference for deep link URL validation with scheme and host whitelisting.
Enforce Network Security
- HTTPS Only: Enforce via
NSAppTransportSecurity(iOS) andnetwork_security_config.xml(Android). - Certificate Pinning: Use
react-native-ssl-pinningfor high-security apps (banking, healthcare). Warning: Requires app update when certificates rotate. - No Secrets in Code: Use
.envfiles withreact-native-config. Add to.gitignore. - Verify: Test by attempting plain HTTP requests in dev; confirm they are rejected.
Protect Sensitive Data
- PII Masking: Mask email/phone in logs and analytics.
- Clipboard: Clear sensitive data after paste.
- Screenshots: Block on sensitive screens with
react-native-screen-guard. - Hermes: Bytecode harder to reverse-engineer. ProGuard/R8: Enable on Android.
Anti-Patterns
- No Hardcoded Secrets: Use environment variables.
- No Sensitive Logs: Strip
console.login production. - No Plain HTTP: Always use HTTPS.
- No Client-Side Auth: Validate on backend.
References
See references/keychain-usage.md for Keychain, Biometrics, SSL Pinning, and PII Masking.
> related_skills --same-repo
> common-store-changelog
Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve
> golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
> common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
> common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)