[TECH] How secure is React Native?

This post will discuss about security of React Native and elements to protect.


[TECH] How secure is React Native?

React Native is a framework for app development developed by Facebook. It helps app developers easily make hybrid applications (type for both to access the device’s resource and elements for web).
This post will discuss mobile apps developed by React Native for the elements to protect and security.
A previous mobile hybrid application can display web by using a WebView, But still, it has a limitation to pass complicated process to access the user’s mobile device resources such as device information, camera, storage, phone etc.
For this reason, hybrid applications that were released in the early stage have been transferred to Native application.
But with React Native, it is possible to access and use device resources by using JavaScript besides deploying on the web. So with only one web display, app service providers can use the app element as well. Therefore, React Native has become very popular with its advantage for service operation and fast app development speed.

While React Native has the advantages of making and running the service, we also need to look at it security-wise. It uses JavaScript, the Script language, for the core logic of the application’s operation. Compared to Native applications, it is highly vulnerable to extorting core logic and source code hacking.

Applications developed by React Native has high a vulnerability in extorting core logic and source code hacking.

Security per language mainly used in the mobile app is as follows.
( The security mentioned below is a relative perspective of the three kinds of language; it is not absolute evaluation. )

1. Script Language
· Type : Java script, Python, Ruby,...
· Configuration : Type of source code developed by the developer, not the compiled source code.
· Explanation: Script language will be just exposed as a source code developed by the developer, and attackers can figure out the app's core logic and edit it without any effort.
· Security : Low

· Type : Java
· Configuration : It is a language to run on multiple OS and compiled between machine language and source code.
· Explanation : Byte Code is used for multiple OS with one Java source code and it can be source coded with the decompiler.
· Security : Medium

· Type : Executable file or library developed with C or C++
· Configuration : Executable files which are translated into machine language based on each OS and CPU.
· Explanation : Binary code will be configured as executable files consisting of machine language. To understand the code, understanding reverse engineering is necessary.
· Security : High

※ The security mentioned here is just a relative perspective of the three kinds of language, and it does not mean that apps made with Binary code cannot be hacked or do not need to be protected.

As explained above, you can see that Java script has the lowest security among these three languages to create mobile apps. The core logic code, such as user log-in, purchasing product, etc., developed by JavaScript will exist in the Package (.apk or .aab file) Bundle file made by React Native, which can be an easy target for hacking.

» React Native Bundle file in App Package


» Inside the React Native Bundle

If apps are developed by React Native, the core logic will exist in Bundle file as above, it is important to protect source code in the Bundle file not to be exposed.
In addition, to protect the app service from severe damages in case of the Bundle file is changed or any other files related to the apps are changed, it will be required to have an anti-tampering feature so apps cannot be tampered with.

Suppose your app contains a payment function or deals with sensitive user information. In that case, we strongly recommend you prepare in advance for protecting the Bundle file and Anti tampering so that you can provide secured service.

LIAPP, we provide the best service possible.
#android_application_security #ios_application_security #source_code_hardening #android_app_bundle #AAB #APK #Android App Bundle #String_encryption #Source_code_obfuscation #Anti-debugging #Anti-dumper #Anti-tampering #Rooting_detection #Virtual_machine_detection #Hacktool_detection #Malware_detection #Memory_protection #React_Native #index.android.bundle