React Native Security - this compilation were initially built upon a help request about security for a banking app.

REACT_NATIVE_SECURITY.md

• Obfuscate code helps.
  • JS Bundles - https://github.com/vesselsoft/metro-minify-obfuscator
    • https://github.com/MichaelXF/js-confuser - Adding this here as a note, because it could end up better than the javascript-obfuscator, but it might require a RN / Metro implementation with a working sourcemap support.
  • Android - Proguard / R8
  • iOS - I dont know any that is open-source and works. Before deprecation, BITCODE was used. However there is a commercial one called iXGuard.
  • JS are still easier to decompile / deobfuscate than native, so ideally, if you can, the more you implement in the native side, the better. That's why one of the recommendations below is to use a single point of implementation, with Rust or C++.
    • https://github.com/obfuscator-llvm/obfuscator
    • https://github.com/dronavallipranav/rust-obfuscator
• Jailbreak / rooted / emulator checks, close app if detected.
  • https://github.com/GantMan/jail-monkey
  • https://github.com/react-native-device-info/react-native-device-info#isemulator
  • wumke/react-native-exit-app#85
• Runtime App Self Protection (RASP)
  • https://github.com/talsec/Free-RASP-ReactNative - https://docs.talsec.app/freerasp/features-and-pricing-plans#plans-comparison
  • https://github.com/wultra/react-native-malwarelytics - https://developers.wultra.com/components/react-native-malwarelytics
• https://github.com/bamlab/react-native-app-security - Mix of checks, left it here, but other standalone options are likely better.
• Require app updates, as to not support older versions. Having checks in place.
  • https://github.com/kimxogus/react-native-version-check
  • https://github.com/SudoPlz/sp-react-native-in-app-updates
• OTA could help provide faster hotfixes in case some security issue are discovered or bad impl are done. It's on the JS side only.
  • https://github.com/gronxb/hot-updater - This tool seem to be working to be more than that.
• Integrity checks - It may have quotas for verifications. I suppose it could be cached, once per install.
  • https://github.com/pagopa/io-react-native-integrity
  • https://rnfirebase.io/app-check/usage
  • https://github.com/niteshbalusu11/react-native-secure-enclave-operations
  • Alternatively you can generate SHA512 checksums yourself manually through the CI for both native and jsbundles. But it takes more work. And probably would require some other implementation natively and in js.
• Disable any sort of debugging.
  • https://babeljs.io/docs/babel-plugin-transform-remove-debugger
• To store auth tokens and others.
  • https://github.com/oblador/react-native-keychain
  • If some things are not possible with keychain, there is https://github.com/mrousavy/react-native-mmkv as alternative if used with encryption.
• Do all things in the backend. The App / Web should be only for displaying data and taking action on it for the most part.
  • You can make use of Paseto (auth token) in the backend.
    • https://paseto.io
    • https://permify.co/post/jwt-paseto/
  • By using Paseto, you can have two things, a less vulnerable alternative to JWT for authentication, and verification of the payload with it's private / public key, similarly as HMAC Signature intent, helps ensure the integrity of the data being transported.
  • Make use of refresh token and access token pattern, where refresh token only serves to refresh the access token which should have duration of minutes, and access token to request content only.
  • Use argon2 for password hashing.
  • Never return database error messages or data that may be sensitive, in errors from API responses, that should be logged / reported to the developer, to be fixed. The frontend should only know that an error happened and the admin or developer are aware, but validation error messages can be returned.
  • You can opt to use multiple login types (MFA - Multi Factor Auth), no password might be safer, so there is OTP auth as option, be through email, SMS or some other messaging tool to receive the code.
    • 2FA can be an additional security option. HOTP or TOTP.
• Device Binding, you could send specific information from the smartphone like a combined string uniqueDeviceId + deviceManufacturer + model and tie the auth token to it. That way, it cannot be used in another device.
  • You can session limit with device binding. Like one device at the time or more.
• SSL Pinning - though there is Public Key Pinning, and it might be a better option.
  • https://github.com/frw/react-native-ssl-public-key-pinning
  • https://github.com/huytdps13400/react-native-ssl-manager
  • There are things that point to being easy to bypass pinning, though with checks and actions in place for jailbreak, rooted, emulators and hooks (but not only), can help reduce or even completely prevent the possibility of this.
• Biometrics could help make it more difficult.
  • https://github.com/smallcase/react-native-simple-biometrics
  • https://github.com/SelfLender/react-native-biometrics
  • https://github.com/chubo274/react-native-biometrics
• Even hardware keys / passkeys, but this would be something optional like 2FA is in some cases.
  • https://github.com/f-23/react-native-passkey
• For encryption work, I would say to do in the backend, but if not possible.
  • https://github.com/margelo/react-native-quick-crypto
  • https://github.com/serenity-kit/react-native-libsodium
• No logging on release.
  • https://babeljs.io/docs/babel-plugin-transform-remove-console
  • This means no console based nor any other logging lib usage.
• Input Sanitization / Validation - This should be prioritized in the backend, but it's fine on app too.
  • https://github.com/colinhacks/zod
  • https://github.com/cure53/DOMPurify for HTML in case you use Webview. But preferably, opt-out.
• Keep RN and dependencies updated.
  • Use only the best options (most used) available and keep to a minimum.
  • Have something in place to auto-upgrade the packages and do code upgrades if major changes are needed.
• Disable recording / screenshot in the app.
  • https://github.com/wn-na/react-native-capture-protection
  • https://github.com/gbumps/react-native-screenguard
• Have app signature verification set.
  • While the firebase options above is a similar way to check, it's not the same.
  • Currently, this might require some manual work on the native side. As well as managing generated certs.
  • Always combine with backend checks where possible, not only on the client-side, since that can be bypassed.
• Never use deep links for sensitive data.
• No sensitive env vars in the frontend/app.
  • But there is a safer option than react-native-config and react-native-dotenv, that can help env vars that are not possible to have the setup in the backend - https://github.com/numandev1/react-native-keys
    • Currently react-native-keys still has ways to go to be free of vulnerabilities. But at this point it's the safer option.
• Have CI dependency vulnerabilities verification checks with snyk or some other tool.
• Develop native functionality in a single point rather than in Java/Kotlin and ObjC/Swift, this way it can help prevent bugs and even security issues.
  • I would recommend in Rust
    • https://github.com/callstackincubator/react-native-node-api - ferric-cli
    • https://github.com/mozilla/uniffi-rs
    • https://github.com/leegeunhyeok/craby
  • But, if you prefer C++, there is https://github.com/mrousavy/nitro as alternative.
• OWASP
  • https://owasp.org/www-project-mobile-app-security
  • https://owasp.org/www-project-mobile-top-10
• Lint / Types are recommended
  • Lint are recommended due to it's checks which can help prevent security issues.
  • Types are recommended with Typescript, with proper configuration, you can enforce additional good practices, therefore having less bugs, so leading to less security issues.
  • All should be enforced in both dev environment and CI.
• Tests are recommended at least in crucial parts of the app, and backend.
  • Good tests will check for things that should not be possible, so, it can help prevent security issues.
  • https://jestjs.io/ - Jest are still the recommended choice in React Native due to better support with other libraries. Other equivalent libraries are not that well supported or not at all.
  • https://callstack.github.io/react-native-testing-library/ - Component and Integration tests.
  • https://wix.github.io/Detox/ for E2E tests.
• For the backend, if starting something new, I would recommend Rust or DenoJS which are based in rust, both are likely to have less vulnerabilities. Just my opinion though.
  • Your data is a secure as you made your backend to be. In all ends of it.
    • OS always keep to a minimum in packages, always updated.
    • There are hardened kernels and many things that can be done to increase security in the OS part.
    • API preferably containerized.
    • Everything isolated and harder to access, with strict configurations, and so on. And not just what you or someone else know, but researched and updated config to latest and safest approaches.
    • Ideally ALL should be automated, to have predictable actions done to the server, as to prevent things done by someone, where someone else would not know about it. Everything stored in a repo / commited, of course.
  • If not starting new, and there is a legacy system that requires scaling and need a rewrite, Rust can be a great alternative too.
• There are other things, that can also help, but those are more specific things like configurations, those you should search by yourself.
  • One example being related to android apk signing, only v4 being free of known vulnerabilities.
  • Fstack Protector
    • In ios (xcode), select the target in the Targets section, then click the Build Settings tab, make sure that the -fstack-protector-all option is selected in the Other C Flags section and that Position Independent Executables (PIE) support is enabled.
    • In android, android/build.gradle in one of the build configurations, make sure that cmake > cppFlags has -fstack-protector-all as one of it's setting.

---

Like everything else, it's your responsibility to confirm whether your implementation are working by adding checks / doing security analysis.

Some additionals suggestion by Gemini 2.5 - https://pastebin.com/raw/uyaeKjsr