How to secure EAS expo app?

I am building an application that has auth system and a lot of post requests,

I want to know how to make my backend endpoints accept only requests that are coming from my application, not from anything else like Postman.

What I was thinking of, is saving a secret on the client’s side that is to be sent with each request to the backend, so that I can make sure the request is coming from my app.

I know that anyone can access my app source code if they extract the APK file and my secret code on the client’s side will be known.
To solve this, I read that I can make my code unreadable by Obfuscating it ( I still need to figure out how I am going to do that on my EAS build ).

And I have to use JailMonkey to detect if the device is rooted.

Also SSL pinning.

I am using Expo secure store to save my sensitive info on the client side.

Is this approach good enough, is there anything I am missing?
I have zero information about security, this is just what I learned through searching.

Let me know if you have better suggestions.

Have you considered a JWT based approach? JWTs can be issues with a short lifetime, then refreshed and can be stored in secure storage if desired. These can the expire too and be revoked.

I have personally used the third party identity service https://auth0.com/ which works well with Expos AuthSession AuthSession - Expo Documentation . However there are a number third party services or something self hosted like identity server.

I would not recommend rolling out your own implementation.

Here is a post I was in involved in regarding Expo examples of a JWT based approach with refresh tokens.

1 Like

Does this prevent my app code from being altered or stolen?

I want to know how to make my backend endpoints accept only requests that are coming from my application, not from anything else like Postman.

It’s not possible. It’s not a expo or react-native issue, it’s not possible in any client side application. You can make it a lot harder by obscuring it, but it will never be safe.

I know that anyone can access my app source code if they extract the APK file and my secret code on the client’s side will be known.

js bundle embedded in apk is not exactly your source code, it’s already processed and minimized. Someone can use that js, but it’s not sth someone can take and use in their own application.

To solve this, I read that I can make my code unreadable by Obfuscating it

It would make it a bit harder, but extracting token like that would still be relatively straight forward.

I believe obfuscation is the most you can do regarding source code.

The other option is to move any really “clever” or core behavior that you want to hide to an API off the device. A web API for example.