Check if you are aware of the risks and threats developers should address to prevent typical security mistakes in React Native applications.
Find details in a new Cossack Labs’ blog post or first get an appetite for it with an abstract here.
When looking at the React Native app from the security perspective, you need to analyze all its parts one by one, and the communication between them as well. It requires an understanding of iOS and Android native platforms, JavaScript engines, and the connection between them – the Bridge.
Trusting React Native platform and its components means that you understand and accept potential security consequences.
Keep in mind that:
-
The collaboration of backend and mobile app developers is key to produce secure mobile applications. The community around React Native platform provides common modules for platform-specific features. They help React Native developers save precious time by avoiding writing native code.
The downside is that the additional abstraction layer distances developers from app internals even further. When choosing React Native as a platform for mobile applications, you also need to accept the risk of delayed updates (compared to pure native apps) and increased MTTD/MTTR, and prepare a remediation strategy.
React Native platform is a third-party framework developed by Facebook. And who knows what Facebook code is inside The Bridge? So, adding the React Native framework means adding another party that should be trusted as well.
Even though React Native apps are associated with an adequate level of protection against XSS attacks, developers can use potentially dangerous API in JavaScript code, like the eval() function.
In addition to React Native security specifics, OWASP MASVS and MSTG should be used as a foundation of appropriate security measures in apps.
Continuous dependency scanning and patching is an essential step in Secure-SDLC and automated security testing of React Native apps. Many tools help in automating the update process (f.e. Dependabot), but manual work always remains for modules that can't be updated easily.
So... What are the best practices to build a secure React Native app? @Julia Potapenko from @CossackLabs packed some working ideas in a new blog post here.
Top comments (0)