Android-specific security practices

• app/build.gradle file in project release build type changes
• minify enabled property enable
• useProguard property enable
• shrink resources property enable

IOS-specific security practices

• From iOS 9.0, we have a dictionary option in info.plist called NSAppTransportSecurity.
• There is a key NSAllowArbitraryLoads which is set to NO as default that means you have agreed with security benefits. In some scenarios when you are working with localhost or with an HTTP domain if required then you have to make it YES; otherwise you can’t make network requests with those insecure domains.
• Using this to avoid rejection on the app store, we can add a domain to except in key ‘NSExceptionDomains’.

Using Hermes

• Hermes is a small and lightweight JavaScript engine optimized for running React Native. Hermes helps improve app performance and also exposes ways to analyze the performance of the JavaScript that it runs.
• Support React Native 0.69.0+
• Hermes' compilation to bytecode does provide a significant level of obfuscation

Code Obfuscation and Anti-Reverse Engineering

• minifyEnabled và useProguard
• Obfuscator-io-metro-plugin.
• React-native-obfuscate

Storage security

Keychain libraries allow you to store your sensitive data like password, id’s, card details into small chunks of information.

• Key Chain – Mainly used for storing generic and digital passwords.
• React Native Sensitive Info – This plugin is more mature and flexible than React Native Keychain cna compatible with both Android and iOS.
• React Native Security Storage – This plugin is still under development. The manual is available with installation instructions but no usage guidelines.
• react-native-mmkv

Deep linking

Deep linking is a method of sending data directly to a native application from an outside source. A deep link looks like app:// where the app is your app scheme and anything following the // could be used internally to handle the request.

Secure API endpoints

To secure your API endpoints, you can turn to tools like react-native-dotenv and react-native-config. They offer a safe space to store sensitive information securely. When it comes to application secrets from external platforms like Facebook or Google, avoid embedding them in your code. Instead, consider alternatives to asynchronous storage.

• React-native-dotenv
• React-native-config

SSL Pinning for Enhanced Security

TSSL pinning adds an extra layer of security by verifying the authenticity of SSL certificates during the handshake process. This safeguards against man-in-the-middle attacks and ensures secure communication. react-native-ssl-pinning is a great library that makes SSL pinning super easy to implement in React Native projects

Keep a check for Jailbroken and rooted phones

• Jailbroken and rooted phones are considered insecure and hence Root administrators give users the privilege to access your data, OS security features, spoof data, analyze algorithms, and access secured storage.
• It’s always a good practice to Check the device’s jailbroken and rooted before performing any crucial operation. Jailmonkey allows React Native applications to detect root or jailbreak.

Monitoring and Continuous Security

• Sentry: Sentry is an example of a service that provides real-time error tracking and alerting. It can notify you immediately when an error or security issue occurs.
• Intrusion Detection Systems (IDS): These are tools that monitor network or system activities for malicious exploits or security policy violations.
• react-native-newrelic

Avoid using Deprecated libraries

It’s always considered a good practice to avoid using Deprecated libraries as they are no longer being supported, which means deprecated libraries wouldn’t be compatible with other libraries if there is any improvement or update in them. By not using deprecated libraries you make yourself feel relief for not migrating to the new version. Rather, using a better alternative version of deprecated is always a wise choice.