We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| x.x.x | β Yes |
| < 0.0 | β No |
We take the security of @react-native-auth/google seriously. If you believe you have found a security vulnerability, please report it to us as described below.
- β Open a public GitHub issue
- β Disclose the vulnerability publicly before it has been addressed
- β Test the vulnerability on production systems without permission
-
Email us privately at: [react.native.auth@outlook.com)
-
Include the following information:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
-
Allow us time to respond:
- We will acknowledge receipt of your report within 48 hours
- We will provide a more detailed response within 7 days
- We will work on a fix and coordinate the disclosure timeline with you
When using this library, please follow these security best practices:
// β Bad: Hardcoding Client ID in source code exposed in version control
const CLIENT_ID = 'xxxxx.apps.googleusercontent.com';
// β
Good: Use environment variables or secure configuration
import Config from 'react-native-config';
const CLIENT_ID = Config.GOOGLE_CLIENT_ID;// β οΈ Client-side only (for UI purposes)
const result = await oneTap({ clientId: CLIENT_ID });
// β
Always verify on your backend server
fetch('https://your-api.com/auth/google', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ idToken: result.idToken }),
});- β Never commit your release keystore to version control
- β Use secure keystore passwords (16+ characters)
- β Store keystore credentials in secure CI/CD secrets
- β Rotate keystores if compromised
# Keep authentication classes
-keep class io.github.reactnativeauth.google.** { *; }
-keep class com.google.android.gms.auth.** { *; }
// β Bad: HTTP endpoints
fetch('http://your-api.com/auth/verify', ...)
// β
Good: HTTPS only
fetch('https://your-api.com/auth/verify', ...)// β
Store tokens securely (use react-native-keychain or similar)
import * as Keychain from 'react-native-keychain';
const result = await oneTap({ clientId: CLIENT_ID });
await Keychain.setGenericPassword('idToken', result.idToken);
// β Don't store in AsyncStorage (not encrypted)
// await AsyncStorage.setItem('idToken', result.idToken);- β ID tokens expire after 1 hour
- β Implement proper token refresh logic
- β Handle authentication errors gracefully
# Check for security vulnerabilities
npm audit
# Update dependencies
npm updateOnly request the minimum scopes necessary for your application:
// β Bad: Requesting unnecessary permissions
const result = await legacySignIn({
clientId: CLIENT_ID,
scopes: [
'https://www.googleapis.com/auth/drive',
'https://www.googleapis.com/auth/gmail.modify',
'https://www.googleapis.com/auth/calendar',
],
});
// β
Good: Request only what you need
const result = await legacySignIn({
clientId: CLIENT_ID,
scopes: ['https://www.googleapis.com/auth/drive.readonly'],
});- Use
newArchEnabled=truefor better security and performance - Enable code obfuscation with ProGuard/R8 in release builds
- Verify app signatures with SHA-1 fingerprints in Google Cloud Console
- Test on multiple Android versions (API 24+)
We believe in responsible disclosure and appreciate the security community's efforts to improve the security of this project. We will:
- β Acknowledge your contribution in release notes (if you wish)
- β Keep you informed throughout the fix process
- β Credit you appropriately once the vulnerability is disclosed
Security updates will be released as patch versions (e.g., 0.1.1 β 0.1.2) and announced via:
- GitHub Security Advisories
- Release notes on GitHub
- NPM package updates
Thank you for helping keep @react-native-auth/google secure! π