This document outlines the security measures implemented in the GlobeQuest mobile application.

Status: ✅ Implemented

• Mobile (iOS/Android): Uses expo-secure-store
  • iOS: Stored in Keychain with encryption
  • Android: Stored in Keystore with encryption
• Web: Falls back to localStorage (browser security model)
• Location: src/services/secureStorage.ts

Usage:

import secureStorage from './services/secureStorage';

// Store token
await secureStorage.setItem('auth_token', token);

// Retrieve token
const token = await secureStorage.getItem('auth_token');

// Remove token
await secureStorage.removeItem('auth_token');

Status: ✅ Implemented

• Client-side token expiration validation
• Token structure validation
• Automatic token refresh on expiration
• Location: src/utils/jwtUtils.ts

Features:

• Validates JWT structure (3 parts)
• Checks expiration with configurable buffer (default: 60s)
• Automatic cleanup of expired tokens

Status: ✅ Implemented

• Email validation
• Username sanitization
• HTML/XSS prevention
• Date/number validation
• Location: src/utils/validator.ts

Usage:

import validator from './utils/validator';

// Validate email
validator.isValidEmail(email);

// Sanitize username
const clean = validator.sanitizeUsername(input);

// Validate trip data
const { valid, errors } = validator.validateTripData(tripData);

Status: ✅ Implemented

• Production logs disabled automatically
• Sensitive data redaction
• Token/password filtering
• Location: src/utils/logger.ts

Usage:

import logger from './utils/logger';

logger.log('Debug info'); // Only in dev
logger.error('Error occurred'); // Always logged (sanitized in prod)
logger.logSanitized('API Response', data); // Auto-redacts tokens

Status: ✅ Implemented

• Auth0 credentials moved to environment variables
• Database credentials externalized
• .env.example template provided
• Location: app.config.js, .env.example

Setup:

1. Copy .env.example to .env
2. Fill in your credentials
3. Never commit .env to git (already in .gitignore)

Status: ✅ Implemented

• OAuth 2.0 with PKCE (Auth0)
• Secure redirect URI handling
• Automatic session management
• Token refresh on 401 errors

Severity: Moderate to High

Most vulnerabilities are in dev dependencies (expo-cli, xdl). These don't affect the production app bundle.

Critical dependencies status:

• ✅ axios: Updated to latest
• ✅ semver: Updated to latest
• ⚠️ expo-cli: Contains vulnerabilities (dev-only, doesn't ship to production)

Action: Monitor for updates, consider migrating from expo-cli to @expo/cli

Status: ❌ Not Implemented

Risk: Medium - Vulnerable to MITM attacks Recommendation: Implement for production API calls

Status: ❌ Not Implemented

Risk: Low-Medium - Compromised devices can extract stored data Recommendation: Add for high-security scenarios

Status: ❌ Not Implemented

Risk: Low - Easier reverse engineering Recommendation: Enable Hermes engine and ProGuard/minification

1. Never log sensitive data:

   // ❌ Bad
   console.log('Token:', token);
   
   // ✅ Good
   logger.log('User authenticated');

2. Always validate input:

   // ❌ Bad
   await api.post('/visits', userData);
   
   // ✅ Good
   const { valid, errors } = validator.validateTripData(userData);
   if (!valid) {
     throw new Error(`Invalid data: ${errors.join(', ')}`);
   }
   await api.post('/visits', userData);

3. Use secure storage for tokens:

   // ❌ Bad
   AsyncStorage.setItem('token', token);
   
   // ✅ Good
   secureStorage.setItem('auth_token', token);

4. Check token expiration:

   // ✅ Good - already implemented in api.ts
   if (jwtUtils.isTokenExpired(token)) {
     await refreshToken();
   }

1. Set environment variables in EAS Secrets:

   eas secret:create --name AUTH0_DOMAIN --value your-domain.auth0.com
   eas secret:create --name AUTH0_CLIENT_ID --value your-client-id

2. Enable code minification in app.config.js:

   jsEngine: "hermes" // Uncomment this line

3. Review permissions before each release

4. Run security audit:

   npm audit

Before each release:

• Run npm audit and review vulnerabilities
• Verify .env is not committed
• Check that console.logs are disabled in production
• Review API endpoint security
• Test token expiration handling
• Verify secure storage is used for all sensitive data
• Check input validation on all forms
• Review permissions in manifest files
• Test authentication flow end-to-end

If you discover a security vulnerability, please email [email protected] instead of using the issue tracker.

• 2025-01-XX: Initial security implementation
  • Secure token storage
  • JWT validation
  • Input validation
  • Secure logging
  • Environment variables

• OWASP Mobile Security
• Expo Security
• Auth0 Best Practices