Best Practice On how to avoid reverse engineering apk build by expo eas

Please provide the following:

  1. SDK Version: 45
  2. Platforms(Android/iOS/web/all): android

Hey guys i would like to ask you or im asking an advice on how to minimized the risk of “hacker” or mitm attack by reverse engineer the apk i build in expo, for example if i store api keys in javascript and i try to reverse engineer the apk i can clearly see the key being shown while the function or variable name itself already obfuscated but why the key string not?

It’s not possible to secure anything client side, that key is in a plain text in a bundle because the code needs it to use it.

Theoretically, it would be possible to encode it somehow and decode it in runtime, but what would be a point of doing that. It would still be easily accessible if someone is determined to access it. The only proper approach is not to have any secrets in your client app.

Obfuscation/mimization is intended to improve perfomance and hide your source code, so it’s harder to get to the point where you, but there is no way to hide values embedded there.

If you have a key in your app then either it should be designed in a way that leak is not a big problem, or you shouldn’t have that key in your client side code.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.