ReactNative security tips

This article contains a few tips about making your RN apps more secure. It may be useful for AppSec Analysts performing security assessments or for RN Developers trying to make their app more protected.

0. Avoid using of ReactNative, use native languages

Just kidding ;-)

1. Check dependencies on vulnerabilities

The open-source components that your app uses may have known vulnerabilities, to check them you can use the command:

npm audit

or:

yarn audit

2. Check that your app doesn’t enable HTTP in production version

You need to review the files that may contain unsafe settings:

Info.plist (for iOS app)
AndroidManifest.xml (for Android app)

Disabled HTTPS in iOS looks like this (just remove the whole NSAppTransportSecurity tag to apply safe settings):

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

In Android such an unsafe setting looks like this (remove it from your manifest):

<network-security-config>
    <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">localhost</domain>
    </domain-config>
</network-security-config>

3. Disable development settings activity in AndroidManifest file

If your AndroidManifest.xml file contains code like this:

<activity android:name="com.facebook.react.devsupport.DevSettingsActivity" />

it’s better to remove such a string from a production build.

That’s all, thank you for your attention!

Roman's blog

Blog with my articles about different aspects of secure coding techniques for iOS/Android/React

ReactNative security tips

0. Avoid using of ReactNative, use native languages

1. Check dependencies on vulnerabilities

2. Check that your app doesn’t enable HTTP in production version

3. Disable development settings activity in AndroidManifest file