How do you use the App on a Real Device?

Hi people,
hope you are all safe.

I have created an Expo App that has a Frontend and a Backend that uses a REST API to communicate with a PostgreSQL DB. Currently everything is running locally.

My Backend is communicating with the DB. I have all SQL operations in there and the whole Server File is an own Folder that I start with npm run server in my VSCode - thats when my Server starts to listen.

My Frontend then uses the defined routes with the PC IP-Address to communicate with the Backend.

Like: fetch( http://192.xx.50.xx:6969/api/hours/deletehour/${hourId} )...

What I am thinking is that the part before /api/… needs to change and it has to be the real device IP.

  1. How do I get the real device IP and use it to communicate with my Backend?
  2. Does my Backend and my Frontend has to live in the same Folder for it to work? They are currently seperated in 2 Folders. Also should there be a generall script that runs when the app starts? So the server gets started up or something?
  3. Does my PostgresDB needs to be put on a remote server or can it be accessed as long as the user uses the same Wifi or Domain?

Help would be really appreciated because I cant imagine how to run it on a real device and not locally on an Emulator as it is currently.

  1. What steps are there to do before an App can be shipped? Some security or connection things?

I know for example that updating the App should work easily because it is build with Expo and Expo supports OTA Updates (“over the air”).

Thanks Faded.


I’ll try to answer some of your questions, but to answer properly someone would have to write at least a couple of books :slight_smile:

I am not familiar with best practices for running services written in JavaScript. Maybe doing some searches, reading some books/blog posts etc. will point you in the right direction as far as that is concerned. The following search looks like it might have some useful results:

In the above, 192.xx.50.xx is the IP address of the PC that you’re running the backend service on and 6969 is the port that it’s listening for connections on. i.e. this has nothing to do with the mobile device. It’s a bit like a telephone number. If you phone someone you don’t need to know the number of the phone you are calling from. You only need to know the number of the person you’re calling. Of course the phone that you are calling from also has a phone number, and the other phone will be able to see that number. (Assume caller ID always works and can’t be disabled.)

So the server will get a connection from the mobile device and will know the mobile device’s IP address at that point, but your app does not need to know the mobile device’s IP address in order to make the request. using fetch().

If you already knew the above and I just misunderstood what you were saying, then I apologise :slight_smile:

Of course, ideally you’d buy a domain (e.g., acquire an SSL certificate (e.g. from Let’s Encrypt or maybe from your hosting provider) which would let you use something like:


If you find some good best practice documentation they should hopefully explain how to do the above.

Unless I’ve misunderstood what you are asking, this is not something you need to do.

There is no requirement for the server code and client code to be in the same folder.
In terms of running the server when the app starts: Usually you would have the server running constantly at a hosting provider or in the cloud (Amazon Web Services, Microsoft Azure, Google Cloud Platform, etc.)

The PostgreSQL DB needs to run on a machine that the backend code can connect to. Depending on what infrastructure you’re deploying this to and how large the database is and how much traffic you’re going to get etc. changes how you might do this. If you’re starting out small you might get a virtual machine and run the backend code and the database on the same VM. If you’re deploying to AWS you might run the backend code as a Lambda function and set up an RDS instance for the database etc. (I’ve never used AWS Lambda, so I’m not saying you should do this.) Basically there are many different ways you can do this. The simplest is probably a single “machine” (e.g. a virtual machine) running both backend and database.

The mobile device does not need to be able to make connections directly to Postgres and indeed should not be able to. It should make all requests via the backend code which can control access to the database.

You can run the app on a real device in a couple of ways. e.g. install the Expo app from the Play Store/App Store. Then on your PC run expo publish to publish the app’s code to Expo’s servers. Then if you log in to the app on the mobile device and go to the Profile tab you should see your app under “Published Projects”. If you select it from there it should load and run.

The other option (at least for Android) is to run expo build:android which will upload your app’s code to Expo’s build servers and at the end you will be able to download the app and install it on your Android phone (this is called “side loading” the app because it’s not installed from an official store like the Play Store). Unfortunately, iOS makes it very hard (or impossible) to side load apps. This theoretically avoids some security problems, but also makes it harder to test out your own app on a physical device. So for iOS you’d need to make use of a service like TestFlight. I have not used TestFlight before, so I’m not sure of the process.

There is some info here about building standalone apps for side loading or for uploading to TestFlight or the Play Store or App Store:
Building Standalone Apps

See also:
Uploading Apps to the Apple App Store and Google Play

Security: Don’t store any passwords or API keys in your app’s source code because if someone has the app on their phone they will be able to unpack your app and find the password in there.
In your server code don’t trust what you receive from the mobile app. e.g. don’t just trust that hourId is a number.

There’s a lot more that could be said about security. One place to start might be OWASP

e.g. for the backend you might want to look at Top 10 Web Application Security Risks
There’s a huge amount of information on the OWASP web site, and not all of it will be relevant to you.

I hope this has helped a bit.


WOW dude that was very informative :black_heart: Big thanks - I will come back to this if I have some difficulties.

1 Like

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.