CVE-2020-24653 : Security Advisory and Response

Expo through 2.16.1 on iOS is affected by a vulnerability in secure-store that provides an insecure policy when used with certain settings.

Understanding CVE-2020-24653

Expo on iOS is impacted by a security flaw that can lead to potential risks when handling sensitive data.

What is CVE-2020-24653?

The vulnerability in secure-store in Expo through version 2.16.1 on iOS allows the use of an insecure policy, kSecAttrAccessibleAlwaysThisDeviceOnly, when combined with WHEN_UNLOCKED_THIS_DEVICE_ONLY.

The Impact of CVE-2020-24653

This vulnerability can expose sensitive data stored in Expo on iOS to unauthorized access, potentially compromising user privacy and security.

Technical Details of CVE-2020-24653

Expo on iOS is susceptible to a specific security issue related to the secure-store functionality.

Vulnerability Description

The problem arises from the insecure policy implementation of kSecAttrAccessibleAlwaysThisDeviceOnly in Expo through version 2.16.1 on iOS.

Affected Systems and Versions

Product: Expo
Vendor: N/A
Versions: up to 2.16.1

Exploitation Mechanism

The vulnerability can be exploited by malicious actors to gain unauthorized access to sensitive data stored within Expo on iOS.

Mitigation and Prevention

It is crucial to take immediate steps to address and prevent exploitation of this vulnerability in Expo on iOS.

Immediate Steps to Take

Update Expo to the latest version to mitigate the security risk.
Avoid storing highly sensitive information in Expo until the issue is resolved.

Long-Term Security Practices

Regularly monitor for security updates and patches for Expo.
Implement strong encryption and access control measures for sensitive data stored in Expo.
Educate users on secure data handling practices to minimize risks.

Patching and Updates

Stay informed about security advisories from Expo and apply patches promptly to secure the platform.