What is secure storage?
Secure storage keeps sensitive values — auth tokens, refresh tokens, credentials — in the platform's hardware-backed secure store: the Keychain on iOS, the Keystore on Android. Unlike regular storage, these encrypt the data and tie it to the device and app.
Why it matters
Tokens and credentials in plain storage can be read on a rooted or compromised device, handing attackers a user's session. Secure storage is the correct, expected place for secrets, and using it is a basic security requirement that app reviewers and security-conscious users care about.
What to learn
- The iOS Keychain and Android Keystore
- SecureStore / encrypted storage libraries
- What belongs in secure storage versus regular storage
- Storing and retrieving auth tokens
- Biometric-gated access (Face ID, fingerprint)
- Clearing secrets on logout
- Token refresh and rotation
Common pitfall
Storing auth tokens in AsyncStorage because it is convenient. AsyncStorage is unencrypted plain text and readable on a compromised device. Tokens, refresh tokens, and any credential belong in secure storage (Keychain/Keystore), never in the general key-value store.
Resources
Primary (free):
- Expo — SecureStore · docs
- Apple — Keychain services · docs
- Android — Keystore system · docs
Practice
Move auth tokens out of regular storage into SecureStore. Save the token on login, read it to authorize requests, and clear it on logout. Optionally gate retrieval behind biometrics. Done when no token is stored in plain AsyncStorage.
Outcomes
- Store secrets in the Keychain/Keystore via SecureStore.
- Distinguish what needs secure versus regular storage.
- Manage auth tokens and clear them on logout.
- Optionally gate access behind biometrics.