DEV Community

Cover image for Securing Apps In React Native
Ajmal Hasan
Ajmal Hasan

Posted on • Updated on

Securing Apps In React Native

a) JailMonkey (Ref.)

JailMonkey is a React Native library designed to detect potential security threats on a user’s device. It includes several checks to determine if a device is jailbroken (iOS) or rooted (Android). Let’s delve into some key security checks provided by JailMonkey

Some apps need to protect themselves in order to protect data integrity. JailMonkey allows you to:

  • Identify if a phone has been jail-broken or rooted for iOS/Android.
  • Detect mocked locations for phones set in "developer mode".
  • (ANDROID ONLY) Detect if the application is running on external storage such as an SD card.


yarn add jail-monkey
npm install jail-monkey
Enter fullscreen mode Exit fullscreen mode


Then inside App.js add,

import JailMonkey from 'jail-monkey';
import RNExitApp from 'react-native-exit-app';

  const checkJailMonkey = useCallback(() => {
    const isJailBroken = JailMonkey.isOnExternalStorage() || JailMonkey.isJailBroken();
    if (isJailBroken && !__DEV__) {
        [{ text: 'OK', onPress: () => RNExitApp.exitApp() }],
        { cancelable: false }
  }, []);

  useEffect(() => {
  }, []);
Enter fullscreen mode Exit fullscreen mode

b) React Native Code Obfuscation


Code obfuscation is a technique used to make code difficult to understand and analyze. In React Native, code obfuscation can be used to protect intellectual property, prevent reverse engineering, and improve the security of your application.

We will separately obfuscate javascript, native android and ios.

1. For React Native Javascript part: (Ref.)

Obfuscate React Native Code using Metro Plugin

a) Install:

npm i -D obfuscator-io-metro-plugin
yarn add -D obfuscator-io-metro-plugin
Enter fullscreen mode Exit fullscreen mode

b) Once the plugin is installed, you will need to add it to your Metro configuration file. You can do this by adding the following code to your metro.config.js file:

const jsoMetroPlugin = require("obfuscator-io-metro-plugin")(
    // for these option look javascript-obfuscator library options from  above url
    compact: false,
    sourceMap: false, // source Map generated after obfuscation is not useful right now so use default value i.e. false
    controlFlowFlattening: true,
    controlFlowFlatteningThreshold: 1,
    numbersToExpressions: true,
    simplify: true,
    stringArrayShuffle: true,
    splitStrings: true,
    stringArrayThreshold: 1,
    runInDev: false /* optional */,
    logObfuscatedFiles: true /* optional generated files will be located at ./.jso */,

module.exports = {
  transformer: {
    getTransformOptions: async () => ({
      transform: {
        experimentalImportSupport: false,
        inlineRequires: false,
  ...jsoMetroPlugin,   /*add this line in your previous module after defined above*/
Enter fullscreen mode Exit fullscreen mode

Note: add *.jso in .gitignore

2. For React Native Android part: Ref.

Note: We are using R8 here for code obfuscation.

In android/app/build.gradle, add:

def enableProguardInReleaseBuilds = true

    buildTypes {
        debug {        }
        release {
debuggable false // Disable debugging for release builds

shrinkResources enableProguardInReleaseBuilds // Enable resource shrinking in release builds if ProGuard is enabled

minifyEnabled enableProguardInReleaseBuilds // Enable code minification and obfuscation in release builds if ProGuard is enabled

proguardFiles getDefaultProguardFile("proguard-android-optimize.txt"), "" // Use default ProGuard optimization rules along with custom rules defined in ""
Enter fullscreen mode Exit fullscreen mode

Then in android/app/ at last add/keep as per your project requirement(Keeping all classes and members in):

-keep class io.invertase.firebase.** { *; }
-dontwarn io.invertase.firebase.**

-keep class com.awrostamani.BuildConfig { *; }
-keep class com.swmansion.reanimated.** { *; }
-keep class com.facebook.react.turbomodule.** { *; }
-keep public class com.horcrux.svg.** {*;}
Enter fullscreen mode Exit fullscreen mode

Note: If app still crashes after proguard enabling, then check app in release mode/crashlytics which library is doing so and add that also in

Make a release build and check using any online tool like Link to check if the actual code is hidden/converted to random strings.

3. For React Native iOS part: (Ref.)

There is no built-in library in the iOS project that will obfuscate your code, therefore an external package has to be used.

c) Using secure storage for sensitive data:

React native mmkv/react native keychain can be used.
Link Keychain

To be continued...

Top comments (0)