Agent-Skills.md

Agent Skills: React Native Security

Secure storage, network traffic, and deep links in React Native mobile apps. Use when implementing secure storage, certificate pinning, or deep link validation in React Native. (triggers: **/*.tsx, **/*.ts, security, keychain, secure-storage, deep-link, certificate-pinning)

UncategorizedID: hoangnguyen0403/agent-skills-standard/react-native-security

Repository

hoangnguyen0403/agent-skills-standard
HoangNguyen0403License: Apache-2.0
362103

Install this agent skill to your local

pnpm dlx add-skill https://github.com/HoangNguyen0403/agent-skills-standard/tree/HEAD/skills/react-native/react-native-security

Skill Files

Browse the full folder contents for react-native-security.

Download Skill

Loading file tree…

skills/react-native/react-native-security/SKILL.md

Skill Metadata

Name
react-native-security
Description
Secure storage, network traffic, and deep links in React Native mobile apps. Use when implementing secure storage, certificate pinning, or deep link validation in React Native.

React Native Security

Priority: P0 (CRITICAL)

Store Credentials Securely

  • Keychain/Keystore: Use react-native-keychain for tokens, passwords.
  • Never AsyncStorage: Not encrypted. Only for non-sensitive data.
  • Biometric Auth: Use react-native-biometrics for Face ID/Touch ID.

See keychain usage reference for Keychain storage with biometric access control.

Validate Deep Links

  • Validate URLs: Check scheme and host before navigation.
  • Sanitize Params: Never trust URL params. Validate and sanitize.
  • Token Extraction: Avoid passing tokens in deep link URLs. Use secure code exchange.

See keychain usage reference for deep link URL validation with scheme and host whitelisting.

Enforce Network Security

  • HTTPS Only: Enforce via NSAppTransportSecurity (iOS) and network_security_config.xml (Android).
  • Certificate Pinning: Use react-native-ssl-pinning for high-security apps (banking, healthcare). Warning: Requires app update when certificates rotate.
  • No Secrets in Code: Use .env files with react-native-config. Add to .gitignore.
  • Verify: Test by attempting plain HTTP requests in dev; confirm they rejected.

Protect Sensitive Data

  • PII Masking: Mask email/phone in logs and analytics.
  • Clipboard: Clear sensitive data after paste.
  • Screenshots: Block on sensitive screens with react-native-screen-guard.
  • Hermes: Bytecode harder to reverse-engineer. ProGuard/R8: Enable on Android.

Anti-Patterns

  • No Hardcoded Secrets: Use environment variables.
  • No Sensitive Logs: Strip console.log in production.
  • No Plain HTTP: Always use HTTPS.
  • No Client-Side Auth: Validate on backend.

References

See references/keychain-usage.md for Keychain, Biometrics, SSL Pinning, and PII Masking.