Skip to main content

Native Bridges

Platform-specific native modules for secure seed storage and memory wiping. These bridges use hardware-backed security features unavailable to JavaScript.

Source

packages/native-bridges/

iOS

SecureEnclave Storage

File: ios/KnightShieldSecureEnclave.swift

Uses the iOS Keychain backed by the Secure Enclave (on compatible devices) for seed storage.

// Store seed
storeSeed(seed: String)Promise<void>

// Retrieve seed
retrieveSeed()Promise<String>

// Delete seed
deleteSeed()Promise<void>

Keychain Configuration:

  • Service: com.nightshield.wallet
  • Account: wallet-seed
  • Accessibility: kSecAttrAccessibleWhenUnlockedThisDeviceOnly
  • Data class: kSecClassGenericPassword

The seed is only accessible when the device is unlocked and cannot be transferred to other devices via backup.

Memory Wipe

File: ios/KnightShieldMemoryWipe.swift

Uses memset_s for secure memory zeroing. Unlike regular memset, memset_s is guaranteed by the C11 standard not to be optimized away by the compiler.

// Wipe a string from memory
wipeString(value: String)Promise<void>

// Wipe binary data (base64 encoded)
wipeData(base64Data: String)Promise<void>

Implementation uses UnsafeMutableBufferPointer for direct memory access, then calls memset_s to overwrite with zeros.

Android

Keystore Storage

File: android/SecureEnclaveModule.kt

Uses Android Keystore for hardware-backed AES-256-GCM encryption of the seed.

// Store seed (encrypted with hardware-backed key)
storeSeed(seed: String) → Promise<void>

// Retrieve seed (decrypted)
retrieveSeed() → Promise<String>

// Delete key and stored data
deleteSeed() → Promise<void>

Encryption Details:

  • Algorithm: AES-256-GCM
  • Auth tag: 128-bit
  • Key alias: nightshield-wallet-seed
  • Key store: AndroidKeyStore (hardware-backed)
  • IV stored separately in SharedPreferences

The encrypted seed and IV are stored in SharedPreferences; the encryption key never leaves the hardware security module.

Memory Wipe

File: android/MemoryWipeModule.kt

Uses Arrays.fill from the Java standard library to overwrite byte arrays with zeros.

// Wipe a string from memory
wipeString(value: String) → Promise<void>

// Wipe binary data (base64 encoded)
wipeData(base64Data: String) → Promise<void>

Package Registration

File: android/KnightShieldPackage.kt

Registers both native modules (SecureEnclaveModule, MemoryWipeModule) with the React Native bridge via the ReactPackage interface.

Mobile Usage

From React Native, the modules are accessed via NativeModules:

import { NativeModules } from 'react-native';

const { KnightShieldSecureEnclave, KnightShieldMemoryWipe } = NativeModules;

// Store seed securely
await KnightShieldSecureEnclave.storeSeed(seedHex);

// Retrieve for wallet initialization
const seed = await KnightShieldSecureEnclave.retrieveSeed();

// Wipe seed from JS memory
await KnightShieldMemoryWipe.wipeString(seed);

The shard-storage.ts service in the mobile app wraps these calls for GhostShard integration:

import { storeShardSecure, retrieveShardSecure } from '../services/shard-storage';

await storeShardSecure(shardId, shardData);
const data = await retrieveShardSecure(shardId);