Defending React Native Apps from the Inside Out

Editor’s Note:
This blog is based on a React Native meetup hosted by GeekyAnts. The session featured Tanish Bawa, Senior Software Engineer II at GeekyAnts, who explored the topic of mobile app security with React Native. Drawing on his experience as a developer, Tanish broke down real-world risks like reverse engineering and data theft, and shared technical practices that help build trust into the core of mobile applications.

I often get asked—Do we need to focus this much on security in React Native apps? My answer is always the same: if everyone behaved, maybe not. But we know that is rarely the case. Once you release an app into the world, it becomes vulnerable. Anyone can download the bundle and try to decompile it. If you are building anything that stores user data, handles payments, or has proprietary logic, you’re already a target.

Security, to me, revolves around two major areas—reverse engineering and data theft. Reverse engineering happens when someone pulls apart your app to copy business logic, APIs, or UI. On the other hand, data theft is when sensitive user information—tokens, credentials, personal records—gets exposed through poor storage or weak API security. I’ve seen both happen. And both are avoidable.

While building apps, there are a few areas I always prioritize. Storage is one of them. A lot of developers use AsyncStorage for everything. That’s a mistake when dealing with sensitive data. AsyncStorage doesn’t offer encryption. I use Secure Store or React Native Keychain whenever I need to store authentication tokens or user credentials. Both provide encryption and work well across platforms. For general, non-sensitive preferences, AsyncStorage still works fine.

When integrating APIs, I always ensure that requests go through HTTPS. Think of it like sending a letter—you want to be sure it reaches the right person, sealed. Plain HTTP can be intercepted. But encryption alone is not enough. That’s where SSL pinning comes in. It confirms that your app is talking to the server you intend it to, and not something impersonating it.

I also use token-based authentication and manage everything through interceptors. That allows me to centralize error handling and ensure that all tokens are checked, refreshed, and managed properly across the app. It makes the entire flow cleaner and far more secure.

Once the app is built, I turn my attention to code obfuscation. It’s not about hiding your entire app—it’s about protecting key business logic, especially if you’re handling financial workflows or custom algorithms. I use tools like Metro minifier, ProGuard for Android, and JSTremble to tangle the code. This makes it incredibly difficult for attackers to read or extract anything meaningful.

Obfuscation does have a cost—it increases bundle size. That’s why I apply it selectively, only where there’s is real risk. Security should enhance performance, not drag it down.

For apps that include login flows, especially in sensitive domains, I integrate biometrics with secure storage. The idea is simple. Store credentials securely. Use fingerprint or Face ID to unlock them. And then authenticate the user. Tools like expo-local-authentication make this easier than ever. It feels seamless to the user and adds a strong layer of security behind the scenes.

I rely on a few tools regularly. Flipper helps me track logs and network activity. For vulnerability testing, MobSF gives me a good overview of what needs fixing. Snyk scans for dependency-related risks. And npm audit flags issues in the packages I use. These tools do not replace secure code—they reinforce it.

I always remind myself—and my team—that we are not only writing code. We are building trust. Every time a user opens an app and shares their information, they’re trusting us to protect it. That responsibility stays with us beyond deployment.

There’s a line I use often:

“A secure app is built with trust, not just code. The attacker needs to be right once—we have to be right every time.”

That is the mindset I bring to every React Native project I work on.