React native security Android

Question

I reverse engineered my react native release signed app, I now can see all js code in index bundle which is only obfuscated not encrypted, in assets directory. I don't want my code to be seen. I reverse engineered one of the app in play store which is made up of react-native but I couldn't see the js bundle. So is it possible to make it secure ? If so how?

You could probably encrypt it and decrypt it before using it in your app but as long as your app is not the new instagram or snapchat it's probably not worth the effort. And you will still need to ship the decryption key with your app which makes it just another hurdle in the way additionally to uglifying. — trixn, Feb 02 '18 at 19:28
No it is not possible. If you execute Javascript on the users phone the Javascript needs to be on the users phone. — WizKid, Feb 03 '18 at 06:19
You can try jscrambler. It includes code protection to encrypt your source code. read more here https://jscrambler.com/ — pikanerd, Jul 04 '19 at 06:56

score 0 · Answer 1 · answered Feb 14 '18 at 15:41

0

I put my js codes as possible as I could do in form of cloud functions and put them on firebase. I tried to keep my app like a data display tool as possible.

answered Feb 14 '18 at 15:41

Codinson

11
1

Bruno Eduardo · Accepted Answer · 2019-02-14T13:49:01.083

As far as I know the best you can achieve to prevent reverse engineering is to obfuscate your code.

If you check this GitHub PR on RN's project you'll see that there was a push to embed the jsbundle as base64, but as one of the devs put it:

I'm pretty against this since it doesn't encrypt the code whatsoever -- encryption != encoding -- and moreover "client secret" is generally an oxymoron. False senses of security typically aren't good.

If you're OK with how websites work (send JS/WASM to the client, keep secrets on the server), RN is the same in the important ways.

Later the author of the PR states:

Seems to be not a good solution that is still super easy to crack (which is even documented how now ;) )

If you want you could read the discussion about encrypting the JS bundle in RN projects here.

The best bet to protect parts of your code is to not have it in the client side at all. If you have critical code pieces that must be protected leave them in the backend part of your architecture, it's really the only way to ensure your code won't be seen and copied. An article I like even cites this idea:

Imagine, you have a unique algorithm. You obviously don’t want reverse engineers to steal it out of your product. So, you can move the algorithm, making it process the data on a remote server, and use the application to provide it with the data.

You could also check ProGuard (one more link) for Android apps, but I'm not sure how to integrate it with React Native. But even then:

ProGuard also provides minimal protection against reverse engineering by obfuscating the names of classes, fields and methods.

Hope this helps.

Thanks, for your efforts, I appreciate it. but nothing seems to be working for android. I read all the links you gave but all focuses for IOS and proguard want do anything to asset resources. thanks anyway. — Jaydeep Galani, Feb 18 '19 at 03:57

React native security Android

2 Answers2