Storing JWT in SecureStore

Is it safe to store a JWT token in SecureStore which gives a user access to API services that do not check the Permission of that specific user?

Can this token be easily exposed and used for malicious requests?

I’m still ramping up on JWT specifically, but, in general, SecureStore is about the best place you can store an API access token. It uses the standard secure storage methods (e.g., Keychain on iOS) that are recommended for such things when you’re developing directly in the native SDK. Keychain encrypts information in ways that prevent it being read when the device is locked, or by other apps, etc. (Apple Platform Security - Apple Support). It generally sounds much more secure than storing the JWT in local storage on the web. It doesn’t sound like Keychain is particularly susceptible to XSS attacks.

That said, that key is sitting on the device and in theory could leak through some not-yet-disclosed Keychain vulnerability. The best defense is, well, a good defense on your server. Those JWT’s should be signed and the server should be checking the signature so it knows it can trust the claims inside. Tokens should expire periodically so they need to be refreshed on the client in order to continue access. That way, the damage caused by a leaked JWT might be little or none at all, because it may already be expired.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.