@hituchhimpa/react-native-auth-vault 0.1.0

package/LICENSE

@@ -0,0 +1,20 @@
+MIT License
+
+Copyright (c) 2026 hituchhimpa7
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,129 @@
+# 🛡️ React Native Auth Vault
+
+[![npm version](https://img.shields.io/npm/v/@hituchhimpa/react-native-auth-vault.svg?style=flat-square)](https://www.npmjs.com/package/@hituchhimpa/react-native-auth-vault)
+[![license](https://img.shields.io/npm/l/@hituchhimpa/react-native-auth-vault.svg?style=flat-square)](LICENSE)
+[![platform](https://img.shields.io/badge/platform-ios%20%7C%20android-blue.svg?style=flat-square)](#)
+
+A premium, native-first security and authentication library for React Native. Provides secure, hardware-backed cryptographic storage and runtime security auditing for enterprise-grade mobile applications.
+
+---
+
+## ✨ Features
+
+* 🔑 **Hardware-Backed Encryption**: Private keys are generated and stored securely inside the **Android Keystore (TEE/StrongBox)** and **iOS Secure Enclave**.
+* 👤 **Biometric Protection**: FaceID, TouchID, and Android BiometricPrompt integration with customizable user prompts.
+* ⚡ **Optional Biometrics**: Supports both biometric-authenticated operations and high-performance silent hardware encryption (no prompts).
+* 🛡️ **Security Auditing**: Run real-time checks to inspect device integrity (e.g. root/jailbreak detection, device passcode setup, biometrics status).
+* 🧵 **Thread Safe & Native**: Constructed using React Native's modern architecture, executing complex cryptographic tasks on native threads.
+
+---
+
+## 📦 Installation
+
+```sh
+npm install @hituchhimpa/react-native-auth-vault
+# or
+yarn add @hituchhimpa/react-native-auth-vault
+```
+
+For iOS, install the pods:
+```sh
+cd ios && pod install
+```
+
+---
+
+## 🚀 Usage
+
+### 1. Store & Retrieve with Biometric Protection
+Prompt the user for biometrics (Face ID/Touch ID/Fingerprint/Passcode) to unlock access to the stored key:
+
+```typescript
+import { AuthVault } from '@hituchhimpa/react-native-auth-vault';
+
+// Store a value securely (triggers biometric prompt)
+const saveSecureToken = async (token: string) => {
+  try {
+    const success = await AuthVault.setItem(
+      'user_token',
+      token,
+      'Scan fingerprint to secure your credentials'
+    );
+    if (success) console.log('Stored securely!');
+  } catch (error) {
+    console.error('Storage failed:', error);
+  }
+};
+
+// Retrieve a value (triggers biometric prompt)
+const getSecureToken = async () => {
+  try {
+    const token = await AuthVault.getItem(
+      'user_token',
+      'Scan fingerprint to access your account'
+    );
+    console.log('Retrieved Token:', token);
+  } catch (error) {
+    console.error('Failed to unlock token:', error);
+  }
+};
+```
+
+### 2. Silent Hardware-Backed Storage (Optional Biometrics)
+Encrypt and store keys using hardware cryptoprocessors (Secure Enclave / TEE) **silently** without prompting the user. Perfect for API request signing, background session tokens, or caching:
+
+```typescript
+// Pass an empty string `""` as the prompt to bypass the biometric UI
+const saveSilentToken = async (token: string) => {
+  await AuthVault.setItem('api_key', token, '');
+};
+
+const getSilentToken = async () => {
+  const token = await AuthVault.getItem('api_key', '');
+  return token; // Returns the token silently
+};
+```
+
+### 3. Device Security Auditing
+Get security metrics to decide whether your app should run or restrict sensitive actions:
+
+```typescript
+const checkDeviceSecurity = () => {
+  const audit = AuthVault.audit();
+  console.log(audit);
+  /* 
+    Output:
+    {
+      isRooted: false,           // Root/Jailbreak status
+      hasPin: true,              // Device lock (PIN/Password) setup
+      biometricsEnabled: true,   // Biometrics enrollment status
+      hardwareBacked: true       // Key storage hardware backing status
+    }
+  */
+};
+```
+
+---
+
+## 🛠️ API Reference
+
+| Method | Type | Description |
+| :--- | :--- | :--- |
+| `setItem(key, value, prompt)` | `Promise<boolean>` | Encrypts and saves `value` locally. Pass non-empty `prompt` for biometrics, or `""` for silent encryption. |
+| `getItem(key, prompt)` | `Promise<string \| null>` | Decrypts and retrieves `value`. Pass non-empty `prompt` for biometrics, or `""` for silent decryption. |
+| `removeItem(key)` | `Promise<boolean>` | Deletes the stored key and encrypted value from device. |
+| `encrypt(plainText, prompt)` | `Promise<string>` | Encrypts raw text and returns a base64 cipher payload. |
+| `decrypt(base64Text, prompt)` | `Promise<string>` | Decrypts a base64 cipher payload back to plain text. |
+| `audit()` | `Object` | Runs security checks on the device hardware and environment. |
+
+---
+
+## 👤 Author
+
+Developed and maintained by [Hitesh Chhimpa](https://github.com/hituchhimpa7).
+
+---
+
+## 📄 License
+
+MIT

package/ReactNativeAuthVault.podspec

@@ -0,0 +1,20 @@
+require "json"
+
+package = JSON.parse(File.read(File.join(__dir__, "package.json")))
+
+Pod::Spec.new do |s|
+  s.name         = "ReactNativeAuthVault"
+  s.version      = package["version"]
+  s.summary      = package["description"]
+  s.homepage     = package["homepage"]
+  s.license      = package["license"]
+  s.authors      = package["author"]
+
+  s.platforms    = { :ios => min_ios_version_supported }
+  s.source       = { :git => "https://github.com/hituchhimpa7/react-native-auth-vault.git.git", :tag => "#{s.version}" }
+
+  s.source_files = "ios/**/*.{h,m,mm,swift,cpp}"
+  s.private_header_files = "ios/**/*.h"
+
+  install_modules_dependencies(s)
+end

package/android/build.gradle

@@ -0,0 +1,68 @@
+buildscript {
+  ext.ReactNativeAuthVault = [
+    kotlinVersion: "2.0.21",
+    minSdkVersion: 24,
+    compileSdkVersion: 36,
+    targetSdkVersion: 36
+  ]
+
+  ext.getExtOrDefault = { prop ->
+    if (rootProject.ext.has(prop)) {
+      return rootProject.ext.get(prop)
+    }
+
+    return ReactNativeAuthVault[prop]
+  }
+
+  repositories {
+    google()
+    mavenCentral()
+  }
+
+  dependencies {
+    classpath "com.android.tools.build:gradle:8.7.2"
+    // noinspection DifferentKotlinGradleVersion
+    classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:${getExtOrDefault('kotlinVersion')}"
+  }
+}
+
+
+apply plugin: "com.android.library"
+apply plugin: "kotlin-android"
+
+apply plugin: "com.facebook.react"
+
+android {
+  namespace "com.hituchhimpa.reactnativeauthvault"
+
+  compileSdkVersion getExtOrDefault("compileSdkVersion")
+
+  defaultConfig {
+    minSdkVersion getExtOrDefault("minSdkVersion")
+    targetSdkVersion getExtOrDefault("targetSdkVersion")
+  }
+
+  buildFeatures {
+    buildConfig true
+  }
+
+  buildTypes {
+    release {
+      minifyEnabled false
+    }
+  }
+
+  lint {
+    disable "GradleCompatible"
+  }
+
+  compileOptions {
+    sourceCompatibility JavaVersion.VERSION_1_8
+    targetCompatibility JavaVersion.VERSION_1_8
+  }
+}
+
+dependencies {
+  implementation "com.facebook.react:react-android"
+  implementation "androidx.biometric:biometric:1.2.0-alpha05"
+}

package/android/src/main/AndroidManifest.xml

@@ -0,0 +1,2 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android">
+</manifest>

package/android/src/main/java/com/hituchhimpa/reactnativeauthvault/CryptoEngine.kt

@@ -0,0 +1,190 @@
+package com.hituchhimpa.reactnativeauthvault
+
+import android.content.Context
+import android.os.Build
+import android.security.keystore.KeyGenParameterSpec
+import android.security.keystore.KeyProperties
+import android.util.Base64
+import androidx.biometric.BiometricManager
+import androidx.biometric.BiometricPrompt
+import androidx.core.content.ContextCompat
+import androidx.fragment.app.FragmentActivity
+import java.security.KeyStore
+import javax.crypto.Cipher
+import javax.crypto.KeyGenerator
+import javax.crypto.SecretKey
+import javax.crypto.spec.GCMParameterSpec
+
+class CryptoEngine(private val context: Context) {
+    private val keyAliasBiometric = "AuthVaultKey_Biometric"
+    private val keyAliasNonBiometric = "AuthVaultKey_NonBiometric"
+    private val androidKeyStore = "AndroidKeyStore"
+
+    init {
+        generateKey(keyAliasBiometric, true)
+        generateKey(keyAliasNonBiometric, false)
+    }
+
+    private fun generateKey(alias: String, requireAuth: Boolean) {
+        val keyStore = KeyStore.getInstance(androidKeyStore)
+        keyStore.load(null)
+
+        if (!keyStore.containsAlias(alias)) {
+            val keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, androidKeyStore)
+            
+            val builder = KeyGenParameterSpec.Builder(
+                alias,
+                KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
+            )
+            .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
+            .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
+            .setUserAuthenticationRequired(requireAuth)
+
+            if (requireAuth) {
+                if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) {
+                    builder.setUserAuthenticationParameters(
+                        0, 
+                        KeyProperties.AUTH_BIOMETRIC_STRONG or KeyProperties.AUTH_DEVICE_CREDENTIAL
+                    )
+                } else {
+                    @Suppress("DEPRECATION")
+                    builder.setUserAuthenticationValidityDurationSeconds(-1)
+                }
+            }
+
+            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
+                if (context.packageManager.hasSystemFeature("android.hardware.strongbox_keystore")) {
+                    builder.setIsStrongBoxBacked(true)
+                }
+            }
+
+            keyGenerator.init(builder.build())
+            keyGenerator.generateKey()
+        }
+    }
+
+    private fun getCipher(): Cipher {
+        return Cipher.getInstance("${KeyProperties.KEY_ALGORITHM_AES}/${KeyProperties.BLOCK_MODE_GCM}/${KeyProperties.ENCRYPTION_PADDING_NONE}")
+    }
+
+    private fun getSecretKey(alias: String): SecretKey {
+        val keyStore = KeyStore.getInstance(androidKeyStore)
+        keyStore.load(null)
+        return keyStore.getKey(alias, null) as SecretKey
+    }
+
+    fun encrypt(activity: FragmentActivity, plainText: String, title: String, onSuccess: (String) -> Unit, onError: (String) -> Unit) {
+        val requireAuth = title.isNotEmpty()
+        if (requireAuth) {
+            authenticate(activity, Cipher.ENCRYPT_MODE, null, title, { cipher ->
+                try {
+                    val iv = cipher.iv
+                    val encryptedData = cipher.doFinal(plainText.toByteArray(Charsets.UTF_8))
+                    
+                    val combined = ByteArray(iv.size + encryptedData.size)
+                    System.arraycopy(iv, 0, combined, 0, iv.size)
+                    System.arraycopy(encryptedData, 0, combined, iv.size, encryptedData.size)
+                    
+                    onSuccess(Base64.encodeToString(combined, Base64.DEFAULT))
+                } catch (e: Exception) {
+                    onError("Encryption failed: ${e.message}")
+                }
+            }, onError)
+        } else {
+            try {
+                val cipher = getCipher()
+                val secretKey = getSecretKey(keyAliasNonBiometric)
+                cipher.init(Cipher.ENCRYPT_MODE, secretKey)
+                val iv = cipher.iv
+                val encryptedData = cipher.doFinal(plainText.toByteArray(Charsets.UTF_8))
+                
+                val combined = ByteArray(iv.size + encryptedData.size)
+                System.arraycopy(iv, 0, combined, 0, iv.size)
+                System.arraycopy(encryptedData, 0, combined, iv.size, encryptedData.size)
+                
+                onSuccess(Base64.encodeToString(combined, Base64.DEFAULT))
+            } catch (e: Exception) {
+                onError("Encryption failed: ${e.message}")
+            }
+        }
+    }
+
+    fun decrypt(activity: FragmentActivity, encryptedBase64: String, title: String, onSuccess: (String) -> Unit, onError: (String) -> Unit) {
+        val requireAuth = title.isNotEmpty()
+        try {
+            val combined = Base64.decode(encryptedBase64, Base64.DEFAULT)
+            // GCM IV is 12 bytes
+            val iv = ByteArray(12)
+            val encryptedData = ByteArray(combined.size - 12)
+            System.arraycopy(combined, 0, iv, 0, 12)
+            System.arraycopy(combined, 12, encryptedData, 0, encryptedData.size)
+
+            if (requireAuth) {
+                authenticate(activity, Cipher.DECRYPT_MODE, iv, title, { cipher ->
+                    try {
+                        val decryptedData = cipher.doFinal(encryptedData)
+                        onSuccess(String(decryptedData, Charsets.UTF_8))
+                    } catch (e: Exception) {
+                        onError("Decryption failed: ${e.message}")
+                    }
+                }, onError)
+            } else {
+                try {
+                    val cipher = getCipher()
+                    val secretKey = getSecretKey(keyAliasNonBiometric)
+                    cipher.init(Cipher.DECRYPT_MODE, secretKey, GCMParameterSpec(128, iv))
+                    val decryptedData = cipher.doFinal(encryptedData)
+                    onSuccess(String(decryptedData, Charsets.UTF_8))
+                } catch (e: Exception) {
+                    onError("Decryption failed: ${e.message}")
+                }
+            }
+        } catch (e: Exception) {
+            onError("Invalid data format")
+        }
+    }
+
+    private fun authenticate(activity: FragmentActivity, mode: Int, iv: ByteArray?, title: String, onSuccess: (Cipher) -> Unit, onError: (String) -> Unit) {
+        activity.runOnUiThread {
+            val executor = ContextCompat.getMainExecutor(context)
+            val biometricPrompt = BiometricPrompt(activity, executor,
+                object : BiometricPrompt.AuthenticationCallback() {
+                    override fun onAuthenticationError(errorCode: Int, errString: CharSequence) {
+                        super.onAuthenticationError(errorCode, errString)
+                        onError("Authentication error: $errString")
+                    }
+
+                    override fun onAuthenticationSucceeded(result: BiometricPrompt.AuthenticationResult) {
+                        super.onAuthenticationSucceeded(result)
+                        result.cryptoObject?.cipher?.let {
+                            onSuccess(it)
+                        } ?: onError("Cipher not initialized")
+                    }
+
+                    override fun onAuthenticationFailed() {
+                        super.onAuthenticationFailed()
+                        onError("Authentication failed")
+                    }
+                })
+
+            val promptInfo = BiometricPrompt.PromptInfo.Builder()
+                .setTitle(title)
+                .setAllowedAuthenticators(BiometricManager.Authenticators.BIOMETRIC_STRONG or BiometricManager.Authenticators.DEVICE_CREDENTIAL)
+                .build()
+
+            try {
+                val cipher = getCipher()
+                val secretKey = getSecretKey(keyAliasBiometric)
+                if (mode == Cipher.ENCRYPT_MODE) {
+                    cipher.init(mode, secretKey)
+                } else {
+                    if (iv == null) throw IllegalArgumentException("IV required for decryption")
+                    cipher.init(mode, secretKey, GCMParameterSpec(128, iv))
+                }
+                biometricPrompt.authenticate(promptInfo, BiometricPrompt.CryptoObject(cipher))
+            } catch (e: Exception) {
+                onError("Crypto initialization failed: ${e.message}")
+            }
+        }
+    }
+}

package/android/src/main/java/com/hituchhimpa/reactnativeauthvault/ReactNativeAuthVaultModule.kt

@@ -0,0 +1,103 @@
+package com.hituchhimpa.reactnativeauthvault
+
+import com.facebook.react.bridge.Promise
+import com.facebook.react.bridge.ReactApplicationContext
+import com.facebook.react.bridge.WritableMap
+import com.facebook.react.bridge.Arguments
+import androidx.fragment.app.FragmentActivity
+
+class ReactNativeAuthVaultModule(reactContext: ReactApplicationContext) :
+  NativeReactNativeAuthVaultSpec(reactContext) {
+
+  private val cryptoEngine = CryptoEngine(reactContext)
+
+  override fun audit(): WritableMap {
+    val map = Arguments.createMap()
+    val auditResult = SecurityEngine.audit(reactApplicationContext)
+    
+    for ((key, value) in auditResult) {
+        when (value) {
+            is Boolean -> map.putBoolean(key, value)
+            is Int -> map.putInt(key, value)
+            is Double -> map.putDouble(key, value)
+            is String -> map.putString(key, value)
+        }
+    }
+    
+    return map
+  }
+
+  override fun encrypt(plainText: String, prompt: String, promise: Promise) {
+    val activity = currentActivity as? FragmentActivity
+    if (activity == null) {
+      promise.reject("ERR_ACTIVITY", "Activity is null or not a FragmentActivity")
+      return
+    }
+
+    cryptoEngine.encrypt(activity, plainText, prompt,
+      onSuccess = { encrypted -> promise.resolve(encrypted) },
+      onError = { error -> promise.reject("ERR_ENCRYPT", error) }
+    )
+  }
+
+  override fun decrypt(encryptedBase64: String, prompt: String, promise: Promise) {
+    val activity = currentActivity as? FragmentActivity
+    if (activity == null) {
+      promise.reject("ERR_ACTIVITY", "Activity is null or not a FragmentActivity")
+      return
+    }
+
+    cryptoEngine.decrypt(activity, encryptedBase64, prompt,
+      onSuccess = { decrypted -> promise.resolve(decrypted) },
+      onError = { error -> promise.reject("ERR_DECRYPT", error) }
+    )
+  }
+
+  private fun getSharedPreferences(): android.content.SharedPreferences {
+    return reactApplicationContext.getSharedPreferences("ReactNativeAuthVaultStorage", android.content.Context.MODE_PRIVATE)
+  }
+
+  override fun setItem(key: String, value: String, prompt: String, promise: Promise) {
+    val activity = currentActivity as? FragmentActivity
+    if (activity == null) {
+      promise.reject("ERR_ACTIVITY", "Activity is null or not a FragmentActivity")
+      return
+    }
+
+    cryptoEngine.encrypt(activity, value, prompt,
+      onSuccess = { encrypted -> 
+        getSharedPreferences().edit().putString(key, encrypted).apply()
+        promise.resolve(true) 
+      },
+      onError = { error -> promise.reject("ERR_ENCRYPT", error) }
+    )
+  }
+
+  override fun getItem(key: String, prompt: String, promise: Promise) {
+    val encrypted = getSharedPreferences().getString(key, null)
+    if (encrypted == null) {
+      promise.resolve(null)
+      return
+    }
+
+    val activity = currentActivity as? FragmentActivity
+    if (activity == null) {
+      promise.reject("ERR_ACTIVITY", "Activity is null or not a FragmentActivity")
+      return
+    }
+
+    cryptoEngine.decrypt(activity, encrypted, prompt,
+      onSuccess = { decrypted -> promise.resolve(decrypted) },
+      onError = { error -> promise.reject("ERR_DECRYPT", error) }
+    )
+  }
+
+  override fun removeItem(key: String, promise: Promise) {
+    getSharedPreferences().edit().remove(key).apply()
+    promise.resolve(true)
+  }
+
+  companion object {
+    const val NAME = NativeReactNativeAuthVaultSpec.NAME
+  }
+}

package/android/src/main/java/com/hituchhimpa/reactnativeauthvault/ReactNativeAuthVaultPackage.kt

@@ -0,0 +1,31 @@
+package com.hituchhimpa.reactnativeauthvault
+
+import com.facebook.react.BaseReactPackage
+import com.facebook.react.bridge.NativeModule
+import com.facebook.react.bridge.ReactApplicationContext
+import com.facebook.react.module.model.ReactModuleInfo
+import com.facebook.react.module.model.ReactModuleInfoProvider
+import java.util.HashMap
+
+class ReactNativeAuthVaultPackage : BaseReactPackage() {
+  override fun getModule(name: String, reactContext: ReactApplicationContext): NativeModule? {
+    return if (name == ReactNativeAuthVaultModule.NAME) {
+      ReactNativeAuthVaultModule(reactContext)
+    } else {
+      null
+    }
+  }
+
+  override fun getReactModuleInfoProvider() = ReactModuleInfoProvider {
+    mapOf(
+      ReactNativeAuthVaultModule.NAME to ReactModuleInfo(
+        name = ReactNativeAuthVaultModule.NAME,
+        className = ReactNativeAuthVaultModule.NAME,
+        canOverrideExistingModule = false,
+        needsEagerInit = false,
+        isCxxModule = false,
+        isTurboModule = true
+      )
+    )
+  }
+}

package/android/src/main/java/com/hituchhimpa/reactnativeauthvault/SecurityEngine.kt

@@ -0,0 +1,75 @@
+package com.hituchhimpa.reactnativeauthvault
+
+import android.os.Build
+import android.os.Debug
+import java.io.File
+
+object SecurityEngine {
+
+    fun audit(context: android.content.Context): Map<String, Any> {
+        val rooted = isRooted()
+        val emulator = isEmulator()
+        val debugger = isDebuggerAttached()
+        
+        val hardwareBacked = context.packageManager.hasSystemFeature("android.hardware.strongbox_keystore")
+        val biometricEnabled = androidx.biometric.BiometricManager.from(context).canAuthenticate(androidx.biometric.BiometricManager.Authenticators.BIOMETRIC_STRONG) == androidx.biometric.BiometricManager.BIOMETRIC_SUCCESS
+
+        var score = 100
+        if (rooted) score -= 50
+        if (emulator) score -= 20
+        if (debugger) score -= 20
+        if (!hardwareBacked) score -= 10
+        if (!biometricEnabled) score -= 5
+
+        return mapOf(
+            "secureStorage" to true,
+            "hardwareBacked" to hardwareBacked,
+            "biometricEnabled" to biometricEnabled,
+            "rooted" to rooted,
+            "jailbroken" to false,
+            "emulator" to emulator,
+            "debuggerAttached" to debugger,
+            "securityScore" to score
+        )
+    }
+
+    private fun isRooted(): Boolean {
+        val buildTags = Build.TAGS
+        if (buildTags != null && buildTags.contains("test-keys")) {
+            return true
+        }
+
+        val paths = arrayOf(
+            "/system/app/Superuser.apk",
+            "/sbin/su",
+            "/system/bin/su",
+            "/system/xbin/su",
+            "/data/local/xbin/su",
+            "/data/local/bin/su",
+            "/system/sd/xbin/su",
+            "/system/bin/failsafe/su",
+            "/data/local/su",
+            "/su/bin/su"
+        )
+        for (path in paths) {
+            if (File(path).exists()) return true
+        }
+
+        return false
+    }
+
+    private fun isEmulator(): Boolean {
+        return (Build.FINGERPRINT.startsWith("generic")
+                || Build.FINGERPRINT.startsWith("unknown")
+                || Build.MODEL.contains("google_sdk")
+                || Build.MODEL.contains("Emulator")
+                || Build.MODEL.contains("Android SDK built for x86")
+                || Build.MANUFACTURER.contains("Genymotion")
+                || (Build.BRAND.startsWith("generic") && Build.DEVICE.startsWith("generic"))
+                || "google_sdk" == Build.PRODUCT)
+    }
+
+    private fun isDebuggerAttached(): Boolean {
+        return Debug.isDebuggerConnected() || Debug.waitingForDebugger()
+    }
+}

package/ios/CryptoEngine.swift

@@ -0,0 +1,160 @@
+import Foundation
+import LocalAuthentication
+import Security
+
+@objc(CryptoEngine)
+public class CryptoEngine: NSObject {
+    private let keyTagBiometric = "com.hituchhimpa.reactnativeauthvault.key.biometric".data(using: .utf8)!
+    private let keyTagNonBiometric = "com.hituchhimpa.reactnativeauthvault.key.nonbiometric".data(using: .utf8)!
+
+    @objc
+    public func initializeKey() {
+        if getPublicKey(useBiometric: true) == nil {
+            try? generateKey(useBiometric: true)
+        }
+        if getPublicKey(useBiometric: false) == nil {
+            try? generateKey(useBiometric: false)
+        }
+    }
+
+    private func generateKey(useBiometric: Bool) throws {
+        var error: Unmanaged<CFError>?
+        
+        let access: SecAccessControl
+        if useBiometric {
+            // Require FaceID / TouchID for private key usage
+            guard let acc = SecAccessControlCreateWithFlags(
+                kCFAllocatorDefault,
+                kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
+                [.userPresence, .privateKeyUsage],
+                &error
+            ) else {
+                throw error!.takeRetainedValue() as Error
+            }
+            access = acc
+        } else {
+            guard let acc = SecAccessControlCreateWithFlags(
+                kCFAllocatorDefault,
+                kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
+                [.privateKeyUsage],
+                &error
+            ) else {
+                throw error!.takeRetainedValue() as Error
+            }
+            access = acc
+        }
+        
+        let tag = useBiometric ? keyTagBiometric : keyTagNonBiometric
+        let attributes: [String: Any] = [
+            kSecAttrKeyType as String: kSecAttrKeyTypeECSECPrimeRandom,
+            kSecAttrKeySizeInBits as String: 256,
+            kSecAttrTokenID as String: kSecAttrTokenIDSecureEnclave,
+            kSecPrivateKeyAttrs as String: [
+                kSecAttrIsPermanent as String: true,
+                kSecAttrApplicationTag as String: tag,
+                kSecAttrAccessControl as String: access
+            ]
+        ]
+        
+        let status = SecKeyCreateRandomKey(attributes as CFDictionary, &error)
+        if status == nil, let error = error {
+            throw error.takeRetainedValue() as Error
+        }
+    }
+
+    private func getKey(useBiometric: Bool, prompt: String = "Authenticate to access key") -> SecKey? {
+        let tag = useBiometric ? keyTagBiometric : keyTagNonBiometric
+        var query: [String: Any] = [
+            kSecClass as String: kSecClassKey,
+            kSecAttrApplicationTag as String: tag,
+            kSecAttrKeyType as String: kSecAttrKeyTypeECSECPrimeRandom,
+            kSecReturnRef as String: true
+        ]
+        if useBiometric {
+            query[kSecUseOperationPrompt as String] = prompt
+        }
+        
+        var item: CFTypeRef?
+        let status = SecItemCopyMatching(query as CFDictionary, &item)
+        if status == errSecSuccess {
+            return (item as! SecKey)
+        }
+        return nil
+    }
+
+    @objc
+    public func encrypt(plainText: String, prompt: String, completion: @escaping (String?, String?) -> Void) {
+        let useBiometric = !prompt.isEmpty
+        DispatchQueue.global(qos: .userInitiated).async {
+            guard let publicKey = self.getPublicKey(useBiometric: useBiometric) else {
+                completion(nil, "Key not found")
+                return
+            }
+            
+            guard let data = plainText.data(using: .utf8) else {
+                completion(nil, "Invalid string")
+                return
+            }
+            
+            var error: Unmanaged<CFError>?
+            guard let encryptedData = SecKeyCreateEncryptedData(
+                publicKey,
+                .eciesEncryptionStandardX963SHA256AESGCM,
+                data as CFData,
+                &error
+            ) as Data? else {
+                completion(nil, error?.takeRetainedValue().localizedDescription ?? "Encryption failed")
+                return
+            }
+            
+            completion(encryptedData.base64EncodedString(), nil)
+        }
+    }
+
+    @objc
+    public func decrypt(encryptedBase64: String, prompt: String, completion: @escaping (String?, String?) -> Void) {
+        let useBiometric = !prompt.isEmpty
+        DispatchQueue.global(qos: .userInitiated).async {
+            guard let privateKey = self.getKey(useBiometric: useBiometric, prompt: prompt) else {
+                completion(nil, "Authentication failed or key not found")
+                return
+            }
+            
+            guard let data = Data(base64Encoded: encryptedBase64) else {
+                completion(nil, "Invalid base64")
+                return
+            }
+            
+            var error: Unmanaged<CFError>?
+            guard let decryptedData = SecKeyCreateDecryptedData(
+                privateKey,
+                .eciesEncryptionStandardX963SHA256AESGCM,
+                data as CFData,
+                &error
+            ) as Data? else {
+                completion(nil, error?.takeRetainedValue().localizedDescription ?? "Decryption failed")
+                return
+            }
+            
+            completion(String(data: decryptedData, encoding: .utf8), nil)
+        }
+    }
+    
+    private func getPublicKey(useBiometric: Bool) -> SecKey? {
+        let tag = useBiometric ? keyTagBiometric : keyTagNonBiometric
+        let query: [String: Any] = [
+            kSecClass as String: kSecClassKey,
+            kSecAttrApplicationTag as String: tag,
+            kSecAttrKeyType as String: kSecAttrKeyTypeECSECPrimeRandom,
+            kSecReturnRef as String: true
+        ]
+        
+        var item: CFTypeRef?
+        let status = SecItemCopyMatching(query as CFDictionary, &item)
+        if status == errSecSuccess {
+            let privateKey = item as! SecKey
+            return SecKeyCopyPublicKey(privateKey)
+        }
+        return nil
+    }
+}

package/ios/ReactNativeAuthVault.h

@@ -0,0 +1,5 @@
+#import <ReactNativeAuthVaultSpec/ReactNativeAuthVaultSpec.h>
+
+@interface ReactNativeAuthVault : NSObject <NativeReactNativeAuthVaultSpec>
+
+@end

package/ios/ReactNativeAuthVault.mm

@@ -0,0 +1,89 @@
+#import "ReactNativeAuthVault.h"
+
+#if __has_include("react_native_auth_vault/react_native_auth_vault-Swift.h")
+#import "react_native_auth_vault/react_native_auth_vault-Swift.h"
+#else
+#import "react_native_auth_vault-Swift.h"
+#endif
+
+@implementation ReactNativeAuthVault {
+    CryptoEngine *_cryptoEngine;
+}
+
+- (instancetype)init {
+    self = [super init];
+    if (self) {
+        _cryptoEngine = [[CryptoEngine alloc] init];
+        [_cryptoEngine initializeKey];
+    }
+    return self;
+}
+
+- (NSDictionary *)audit {
+    return [SecurityEngine audit];
+}
+
+- (void)encrypt:(NSString *)plainText prompt:(NSString *)prompt resolve:(RCTPromiseResolveBlock)resolve reject:(RCTPromiseRejectBlock)reject {
+    [_cryptoEngine encryptWithPlainText:plainText prompt:prompt completion:^(NSString * _Nullable encryptedBase64, NSString * _Nullable error) {
+        if (error) {
+            reject(@"ERR_ENCRYPT", error, nil);
+        } else {
+            resolve(encryptedBase64);
+        }
+    }];
+}
+
+- (void)decrypt:(NSString *)encryptedBase64 prompt:(NSString *)prompt resolve:(RCTPromiseResolveBlock)resolve reject:(RCTPromiseRejectBlock)reject {
+    [_cryptoEngine decryptWithEncryptedBase64:encryptedBase64 prompt:prompt completion:^(NSString * _Nullable decryptedText, NSString * _Nullable error) {
+        if (error) {
+            reject(@"ERR_DECRYPT", error, nil);
+        } else {
+            resolve(decryptedText);
+        }
+    }];
+}
+
+- (void)setItem:(NSString *)key value:(NSString *)value prompt:(NSString *)prompt resolve:(RCTPromiseResolveBlock)resolve reject:(RCTPromiseRejectBlock)reject {
+    [_cryptoEngine encryptWithPlainText:value prompt:prompt completion:^(NSString * _Nullable encryptedBase64, NSString * _Nullable error) {
+        if (error) {
+            reject(@"ERR_ENCRYPT", error, nil);
+        } else {
+            [[NSUserDefaults standardUserDefaults] setObject:encryptedBase64 forKey:key];
+            resolve(@(YES));
+        }
+    }];
+}
+
+- (void)getItem:(NSString *)key prompt:(NSString *)prompt resolve:(RCTPromiseResolveBlock)resolve reject:(RCTPromiseRejectBlock)reject {
+    NSString *encryptedBase64 = [[NSUserDefaults standardUserDefaults] stringForKey:key];
+    if (!encryptedBase64) {
+        resolve([NSNull null]);
+        return;
+    }
+    
+    [_cryptoEngine decryptWithEncryptedBase64:encryptedBase64 prompt:prompt completion:^(NSString * _Nullable decryptedText, NSString * _Nullable error) {
+        if (error) {
+            reject(@"ERR_DECRYPT", error, nil);
+        } else {
+            resolve(decryptedText);
+        }
+    }];
+}
+
+- (void)removeItem:(NSString *)key resolve:(RCTPromiseResolveBlock)resolve reject:(RCTPromiseRejectBlock)reject {
+    [[NSUserDefaults standardUserDefaults] removeObjectForKey:key];
+    resolve(@(YES));
+}
+
+- (std::shared_ptr<facebook::react::TurboModule>)getTurboModule:
+    (const facebook::react::ObjCTurboModule::InitParams &)params
+{
+    return std::make_shared<facebook::react::NativeReactNativeAuthVaultSpecJSI>(params);
+}
+
++ (NSString *)moduleName
+{
+  return @"ReactNativeAuthVault";
+}
+
+@end

package/ios/SecurityEngine.swift

@@ -0,0 +1,85 @@
+import Foundation
+import UIKit
+import Darwin
+
+@objc(SecurityEngine)
+public class SecurityEngine: NSObject {
+
+    @objc
+    public static func audit() -> [String: Any] {
+        let jailbroken = isJailbroken()
+        let emulator = isEmulator()
+        let debugger = isDebuggerAttached()
+
+        let context = LAContext()
+        var error: NSError?
+        let biometricEnabled = context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error)
+
+        var score = 100
+        if jailbroken { score -= 50 }
+        if emulator { score -= 20 }
+        if debugger { score -= 20 }
+        if !biometricEnabled { score -= 5 }
+
+        return [
+            "secureStorage": true,
+            "hardwareBacked": true,
+            "biometricEnabled": biometricEnabled,
+            "rooted": false,
+            "jailbroken": jailbroken,
+            "emulator": emulator,
+            "debuggerAttached": debugger,
+            "securityScore": score
+        ]
+    }
+
+    private static func isJailbroken() -> Bool {
+        #if targetEnvironment(simulator)
+        return false
+        #else
+        let paths = [
+            "/Applications/Cydia.app",
+            "/Library/MobileSubstrate/MobileSubstrate.dylib",
+            "/bin/bash",
+            "/usr/sbin/sshd",
+            "/etc/apt",
+            "/usr/bin/ssh"
+        ]
+        
+        for path in paths {
+            if FileManager.default.fileExists(atPath: path) {
+                return true
+            }
+        }
+        
+        // Try writing to a restricted area
+        do {
+            let path = "/private/jailbreak_test.txt"
+            try "test".write(toFile: path, atomically: true, encoding: .utf8)
+            try FileManager.default.removeItem(atPath: path)
+            return true
+        } catch {
+            return false
+        }
+        #endif
+    }
+
+    private static func isEmulator() -> Bool {
+        #if targetEnvironment(simulator)
+        return true
+        #else
+        return false
+        #endif
+    }
+
+    private static func isDebuggerAttached() -> Bool {
+        var info = kinfo_proc()
+        var mib : [Int32] = [CTL_KERN, KERN_PROC, KERN_PROC_PID, getpid()]
+        var size = MemoryLayout<kinfo_proc>.stride
+        let junk = sysctl(&mib, UInt32(mib.count), &info, &size, nil, 0)
+        if junk != 0 {
+            return false
+        }
+        return (info.kp_proc.p_flag & P_TRACED) != 0
+    }
+}

package/lib/module/NativeReactNativeAuthVault.js

@@ -0,0 +1,5 @@
+"use strict";
+
+import { TurboModuleRegistry } from 'react-native';
+export default TurboModuleRegistry.getEnforcing('ReactNativeAuthVault');
+//# sourceMappingURL=NativeReactNativeAuthVault.js.map

package/lib/module/NativeReactNativeAuthVault.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["TurboModuleRegistry","getEnforcing"],"sourceRoot":"../../src","sources":["NativeReactNativeAuthVault.ts"],"mappings":";;AAAA,SAASA,mBAAmB,QAA0B,cAAc;AAWpE,eAAeA,mBAAmB,CAACC,YAAY,CAAO,sBAAsB,CAAC","ignoreList":[]}

package/lib/module/index.js

@@ -0,0 +1,12 @@
+"use strict";
+
+import ReactNativeAuthVault from "./NativeReactNativeAuthVault.js";
+export const AuthVault = {
+  audit: () => ReactNativeAuthVault.audit(),
+  encrypt: (plainText, prompt) => ReactNativeAuthVault.encrypt(plainText, prompt),
+  decrypt: (encryptedBase64, prompt) => ReactNativeAuthVault.decrypt(encryptedBase64, prompt),
+  setItem: (key, value, prompt) => ReactNativeAuthVault.setItem(key, value, prompt),
+  getItem: (key, prompt) => ReactNativeAuthVault.getItem(key, prompt),
+  removeItem: key => ReactNativeAuthVault.removeItem(key)
+};
+//# sourceMappingURL=index.js.map

package/lib/module/index.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["ReactNativeAuthVault","AuthVault","audit","encrypt","plainText","prompt","decrypt","encryptedBase64","setItem","key","value","getItem","removeItem"],"sourceRoot":"../../src","sources":["index.tsx"],"mappings":";;AAAA,OAAOA,oBAAoB,MAAM,iCAA8B;AAE/D,OAAO,MAAMC,SAAS,GAAG;EACvBC,KAAK,EAAEA,CAAA,KAAcF,oBAAoB,CAACE,KAAK,CAAC,CAAC;EACjDC,OAAO,EAAEA,CAACC,SAAiB,EAAEC,MAAc,KAAsBL,oBAAoB,CAACG,OAAO,CAACC,SAAS,EAAEC,MAAM,CAAC;EAChHC,OAAO,EAAEA,CAACC,eAAuB,EAAEF,MAAc,KAAsBL,oBAAoB,CAACM,OAAO,CAACC,eAAe,EAAEF,MAAM,CAAC;EAC5HG,OAAO,EAAEA,CAACC,GAAW,EAAEC,KAAa,EAAEL,MAAc,KAAuBL,oBAAoB,CAACQ,OAAO,CAACC,GAAG,EAAEC,KAAK,EAAEL,MAAM,CAAC;EAC3HM,OAAO,EAAEA,CAACF,GAAW,EAAEJ,MAAc,KAA6BL,oBAAoB,CAACW,OAAO,CAACF,GAAG,EAAEJ,MAAM,CAAC;EAC3GO,UAAU,EAAGH,GAAW,IAAuBT,oBAAoB,CAACY,UAAU,CAACH,GAAG;AACpF,CAAC","ignoreList":[]}

package/lib/module/package.json

@@ -0,0 +1 @@
+{"type":"module"}

package/lib/typescript/package.json

@@ -0,0 +1 @@
+{"type":"module"}

package/lib/typescript/src/NativeReactNativeAuthVault.d.ts

@@ -0,0 +1,12 @@
+import { type TurboModule } from 'react-native';
+export interface Spec extends TurboModule {
+    audit(): Object;
+    encrypt(plainText: string, prompt: string): Promise<string>;
+    decrypt(encryptedBase64: string, prompt: string): Promise<string>;
+    setItem(key: string, value: string, prompt: string): Promise<boolean>;
+    getItem(key: string, prompt: string): Promise<string | null>;
+    removeItem(key: string): Promise<boolean>;
+}
+declare const _default: Spec;
+export default _default;
+//# sourceMappingURL=NativeReactNativeAuthVault.d.ts.map

package/lib/typescript/src/NativeReactNativeAuthVault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"NativeReactNativeAuthVault.d.ts","sourceRoot":"","sources":["../../../src/NativeReactNativeAuthVault.ts"],"names":[],"mappings":"AAAA,OAAO,EAAuB,KAAK,WAAW,EAAE,MAAM,cAAc,CAAC;AAErE,MAAM,WAAW,IAAK,SAAQ,WAAW;IACvC,KAAK,IAAI,MAAM,CAAC;IAChB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC5D,OAAO,CAAC,eAAe,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAClE,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACtE,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC7D,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAC3C;;AAED,wBAA8E"}

package/lib/typescript/src/index.d.ts

@@ -0,0 +1,9 @@
+export declare const AuthVault: {
+    audit: () => Object;
+    encrypt: (plainText: string, prompt: string) => Promise<string>;
+    decrypt: (encryptedBase64: string, prompt: string) => Promise<string>;
+    setItem: (key: string, value: string, prompt: string) => Promise<boolean>;
+    getItem: (key: string, prompt: string) => Promise<string | null>;
+    removeItem: (key: string) => Promise<boolean>;
+};
+//# sourceMappingURL=index.d.ts.map

package/lib/typescript/src/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/index.tsx"],"names":[],"mappings":"AAEA,eAAO,MAAM,SAAS;iBACT,MAAM;yBACI,MAAM,UAAU,MAAM,KAAG,OAAO,CAAC,MAAM,CAAC;+BAClC,MAAM,UAAU,MAAM,KAAG,OAAO,CAAC,MAAM,CAAC;mBACpD,MAAM,SAAS,MAAM,UAAU,MAAM,KAAG,OAAO,CAAC,OAAO,CAAC;mBACxD,MAAM,UAAU,MAAM,KAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;sBAC5C,MAAM,KAAG,OAAO,CAAC,OAAO,CAAC;CAC5C,CAAC"}

package/package.json

@@ -0,0 +1,137 @@
+{
+  "name": "@hituchhimpa/react-native-auth-vault",
+  "version": "0.1.0",
+  "description": "Native-first React Native security and authentication library",
+  "main": "./lib/module/index.js",
+  "types": "./lib/typescript/src/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./lib/typescript/src/index.d.ts",
+      "default": "./lib/module/index.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "files": [
+    "lib",
+    "android",
+    "ios",
+    "cpp",
+    "*.podspec",
+    "react-native.config.js",
+    "!ios/build",
+    "!android/build",
+    "!android/gradle",
+    "!android/gradlew",
+    "!android/gradlew.bat",
+    "!android/local.properties",
+    "!**/__tests__",
+    "!**/__fixtures__",
+    "!**/__mocks__",
+    "!**/.*"
+  ],
+  "scripts": {
+    "example": "yarn workspace @hituchhimpa/react-native-auth-vault-example",
+    "clean": "del-cli android/build example/android/build example/android/app/build example/ios/build lib",
+    "prepare": "bob build",
+    "typecheck": "tsc",
+    "lint": "eslint \"**/*.{js,ts,tsx}\"",
+    "test": "jest"
+  },
+  "keywords": [
+    "react-native",
+    "ios",
+    "android"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/hituchhimpa7/react-native-auth-vault.git.git"
+  },
+  "author": "Hitesh Chhimpa <hituchhimpa7@users.noreply.github.com> (https://github.com/hituchhimpa7)",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/hituchhimpa7/react-native-auth-vault.git/issues"
+  },
+  "homepage": "https://github.com/hituchhimpa7/react-native-auth-vault.git#readme",
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/"
+  },
+  "devDependencies": {
+    "@eslint/compat": "^2.0.3",
+    "@eslint/eslintrc": "^3.3.5",
+    "@eslint/js": "^10.0.1",
+    "@jest/globals": "^30.0.0",
+    "@react-native/babel-preset": "0.85.0",
+    "@react-native/eslint-config": "0.85.0",
+    "@react-native/jest-preset": "0.85.0",
+    "@types/react": "^19.2.0",
+    "del-cli": "^7.0.0",
+    "eslint": "^9.39.4",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-ft-flow": "^3.0.11",
+    "eslint-plugin-prettier": "^5.5.5",
+    "jest": "^30.3.0",
+    "prettier": "^3.8.1",
+    "react": "19.2.3",
+    "react-native": "0.85.0",
+    "react-native-builder-bob": "^0.41.0",
+    "turbo": "^2.8.21",
+    "typescript": "^6.0.2"
+  },
+  "peerDependencies": {
+    "react": "*",
+    "react-native": "*"
+  },
+  "workspaces": [
+    "example"
+  ],
+  "packageManager": "yarn@4.11.0",
+  "react-native-builder-bob": {
+    "source": "src",
+    "output": "lib",
+    "targets": [
+      [
+        "module",
+        {
+          "esm": true
+        }
+      ],
+      [
+        "typescript",
+        {
+          "project": "tsconfig.build.json"
+        }
+      ]
+    ]
+  },
+  "codegenConfig": {
+    "name": "ReactNativeAuthVaultSpec",
+    "type": "modules",
+    "jsSrcsDir": "src",
+    "android": {
+      "javaPackageName": "com.hituchhimpa.reactnativeauthvault"
+    }
+  },
+  "prettier": {
+    "quoteProps": "consistent",
+    "singleQuote": true,
+    "tabWidth": 2,
+    "trailingComma": "es5",
+    "useTabs": false
+  },
+  "jest": {
+    "preset": "@react-native/jest-preset",
+    "modulePathIgnorePatterns": [
+      "<rootDir>/example/node_modules",
+      "<rootDir>/lib/"
+    ]
+  },
+  "create-react-native-library": {
+    "type": "turbo-module",
+    "languages": "kotlin-objc",
+    "tools": [
+      "eslint",
+      "jest"
+    ],
+    "version": "0.62.0"
+  }
+}