OpenSkillIndex← back to search
claude-code

Agent-skills-standard react-native-security

Secure storage, network traffic, and deep links in React Native mobile apps. Use when implementing secure storage, certificate pinning, or deep link validation in React Native. (triggers: **/*.tsx, **/*.ts, security, keychain, secure-storage, deep-link, certificate-pinning)

install
source · Clone the upstream repo
git clone https://github.com/HoangNguyen0403/agent-skills-standard
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/HoangNguyen0403/agent-skills-standard "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/react-native/react-native-security" ~/.claude/skills/hoangnguyen0403-agent-skills-standard-react-native-security && rm -rf "$T"
manifest: skills/react-native/react-native-security/SKILL.md
source content

React Native Security

Priority: P0 (CRITICAL)

Store Credentials Securely

  • Keychain/Keystore: Use 
    react-native-keychain
    for tokens, passwords.
  • Never AsyncStorage: Not encrypted. Only for non-sensitive data.
  • Biometric Auth: Use 
    react-native-biometrics
    for Face ID/Touch ID.

See keychain usage reference for Keychain storage with biometric access control.

Validate Deep Links

  • Validate URLs: Check scheme and host before navigation.
  • Sanitize Params: Never trust URL params. Validate and sanitize.
  • Token Extraction: Avoid passing tokens in deep link URLs. Use secure code exchange.

See keychain usage reference for deep link URL validation with scheme and host whitelisting.

Enforce Network Security

  • HTTPS Only: Enforce via 
    NSAppTransportSecurity
    (iOS) and 
    network_security_config.xml
    (Android).
  • Certificate Pinning: Use 
    react-native-ssl-pinning
    for high-security apps (banking, healthcare). Warning: Requires app update when certificates rotate.
  • No Secrets in Code: Use 
    .env
    files with 
    react-native-config
    . Add to 
    .gitignore
    .
  • Verify: Test by attempting plain HTTP requests in dev; confirm they rejected.

Protect Sensitive Data

  • PII Masking: Mask email/phone in logs and analytics.
  • Clipboard: Clear sensitive data after paste.
  • Screenshots: Block on sensitive screens with 
    react-native-screen-guard
    .
  • Hermes: Bytecode harder to reverse-engineer. ProGuard/R8: Enable on Android.

Anti-Patterns

  • No Hardcoded Secrets: Use environment variables.
  • No Sensitive Logs: Strip 
    console.log
    in production.
  • No Plain HTTP: Always use HTTPS.
  • No Client-Side Auth: Validate on backend.

References

See references/keychain-usage.md for Keychain, Biometrics, SSL Pinning, and PII Masking.