I am afraid of the React Native 'index.android.bundle' file. Because the application whole source code and core logic secrets may be exposed in that 'bundle' file.
But recently, I have observed binary formatted 'index.android.bundle' in one of the APK files. I wondered how this is possible, what kind of technique they use. If anybody knows about this obfustication technique please share your thoughts.
EDIT:
Saw the screenshot that you attached. What came to my mind was that the dev probably encrypted the index.android.bundle file. Tried to find how that can be done and I think I have found pretty similar series/links to do the same thing. Although the method of encryption don't match/resemble a 100%, but this is the best shot I got (for now!).
React Native Android App(1/2): Decompile
React Native Android App(2 of 2): Security
React Native Android App(Github): wooyeol
EARLIER ANSWER (Based on Hermes):
I guess this obfuscation technique is/uses "Hermes", which is an open-source JavaScript engine optimized for React Native. What I found is that, Hermes helps you to convert your JS code( which already gets uglified using RN) to Bytecode.
The purpose for this is to increase install speeds of apps as the Parsing and the Compilation phase of the apps, which mostly happens after the app is installed, is already done here using Byte Precompilation. But as mentioned, this also helps to convert the code in the index.android.bundle file to Bytecode, which is what the concern seems to be.
I haven't tried deobfuscating such a code as of now, so I can't understand if the Hermes Bytecode and the Binary Format you saw are same or different, but here are some links for that, to justify my answer i.e. it might be Hermes Bytecode.
Java - Is binary code the same as ByteCode?
In React Native 0.62, after building a signed apk, index.android.bundle is a binary file
React-native 0.61.2 with Hermes disassembling index.android.bundle
Now I can't do it for a RN app right now, but you can try to do this(enable Hermes and generate & check index.android.bundle) on your app or a demo app and see if it generates the same type of output as you have seen.
Also, you can look up on these links for some help on Hermes and decompilation.
Hermes- A New JavaScript Engine for React Native
Using Hermes - React Native Docs
Decompile React Native index.android.bundle
Also, this link talks about how encryption should/shouldn't be added over the JS bundle created. Although it's from 2015, it can still give you a starting point.
JS Code Protection : To do Encryption over it or not?
I'm also relatively new to React Native and it's various aspects. Also, this is my first time answering a SO question. So hope that it helps.
P.S. Whoever reads this, please correct/edit me if I'm wrong in my explanation somewhere, along with some learning links for the same. Also, give it an approved checkmark ✅ (or whatever it is called) if this answer was a Direct Hit!
