OpenSkillIndex← back to search
claude-code

Skillshub react-native-security

Secure storage, deep linking security, and certificate pinning for mobile. Use when implementing secure storage, certificate pinning, or deep link validation in React Native. (triggers: **/*.tsx, **/*.ts, security, keychain, secure-storage, deep-link, certificate-pinning)

install
source · Clone the upstream repo
git clone https://github.com/ComeOnOliver/skillshub
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/ComeOnOliver/skillshub "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/HoangNguyen0403/agent-skills-standard/react-native-security" ~/.claude/skills/comeonoliver-skillshub-react-native-security && rm -rf "$T"
manifest: skills/HoangNguyen0403/agent-skills-standard/react-native-security/SKILL.md
source content

React Native Security

Priority: P0 (CRITICAL)

Secure Storage

  • Keychain/Keystore: Use 
    react-native-keychain
    for tokens, passwords.
  • Never AsyncStorage: Not encrypted. Only for non-sensitive data.
  • Biometric Auth: Use 
    react-native-biometrics
    for Face ID/Touch ID.

Deep Linking

  • Validate URLs: Check scheme and host before navigation.
  • Sanitize Params: Never trust URL params. Validate and sanitize.
  • Token Extraction: Avoid passing tokens in deep link URLs. Use secure code exchange.

Network Security

  • HTTPS Only: Enforce via 
    NSAppTransportSecurity
    (iOS) and 
    network_security_config.xml
    (Android).
  • Certificate Pinning: Use 
    react-native-ssl-pinning
    for high-security apps (banking, healthcare). Warning: Requires app update when certificates rotate.
  • No Secrets in Code: Use 
    .env
    files with 
    react-native-config
    . Add to 
    .gitignore
    .

Code Obfuscation

  • Hermes: Bytecode harder to reverse-engineer.
  • ProGuard/R8: Enable on Android.
  • Note: Obfuscation is a deterrent, not protection. Move sensitive logic to backend.

Data Handling

  • PII Masking: Mask email/phone in logs and analytics.
  • Clipboard: Clear sensitive data after paste.
  • Screenshots: Block on sensitive screens with 
    react-native-screen-guard
    .

Anti-Patterns

  • No Hardcoded Secrets: Use environment variables.
  • No Sensitive Logs: Strip 
    console.log
    in production.
  • No Plain HTTP: Always use HTTPS.
  • No Client-Side Auth: Validate on backend.

References

See references/keychain-usage.md for Keychain, Biometrics, SSL Pinning, and PII Masking.