react-native-keychain VS react-native-biometrics

Storing the secret key: Since our db requires a key, it is important to store that key somewhere secure, so we will use react-native-keychain which will store our key securely.

If you're saving simple, KV-like data, have a look at react-native-keychain. On the other side, if you want to save complex "relational" data, have a look at Realm.

by the way, if you want to access the native device keychain, react-native-keychain is the right tool.

What you’re looking for is something like Keychain on iOS: similar to what AsyncStorage is, but secure. Maybe https://github.com/oblador/react-native-keychain could be it for you?

If our application utilizes refresh tokens, we can smartly combine the two previous options together. Upon signup or login, we can store a new refresh token securely on the device using the react-native-keychain library mentioned in the mobile app implementation. Once our session expires, we prompt the user to retrieve the refresh token stored behind biometrics authentication. If the user passes the challenge, we use the refresh token to call the backend and refresh the session/get a new access token.

In the app I'm building, we use react-native-keychain. At its core it's meant to use with authentication, which we DO to store oauth tokens, but I also use it as a "re-entry" into the app after it's been put in background or inactive mode. It's the easiest implementation of biometric auth I've found for RN, and it has the ability to fallback to passcode should they fail biometric. Let me know if you have any questions, happy to help!

I would suggest using: react-native-keychain

So the only place your Peloton Credentials are handled is within the app itself. The app itself is built on React Native, and makes use of React Native Keychain which uses the underlying iOS Keychain/Android Secure Preferences (https://github.com/oblador/react-native-keychain#usage & https://blog.bitsrc.io/using-keychain-in-react-native-and-keeping-the-app-session-alive-ff8f8850119c if you're interested). The initial auth and all further requests are directly to the Peloton API from your device.

AsyncStorage is just an unencrypted text file. Rooted android devices can access and change it easily. For storing sensitive data, you should use react native keychain or expo secure store

react-native-biometrics helps us to access functionalities like FaceID, TouchID, or any other biometric features that are available in the device. react-native-biometrics uses the device Keystore for biometric authentication. it's helpful when you develop an application that is security intensive.

In React Native, this solution is readily available with the react-native-biometrics library, which is, unfortunately, not actively maintained (last commit 2/2020) and its biometrics part does not support the latest standards, such as fallback to passcode when Face ID fails.