Has anyone successfully integrated anti-debugging, root detection or runtime application self-protection (RASP) tools with an Expo managed app and EAS build?
I’m looking at products like DexProtector, Appdome, AppSealing, Talsec, etc. Most mention compatibility with React Native but nothing about Expo. Some integrate into your build and others seem to take your built AAB/IPA file and then transform it to a “protected” version. Either way I assume this means it wouldn’t work with EAS build and/or store submission.
The websites for these tools all seem very enterprise focused - i.e. great marketing but lacking any real technical doco or pricing - just “contact us”, which immediately puts me off. Would be great to know if anyone’s got one working with EAS.
I have not seen anyone else talking about that sort of thing on the forums, except possibly for a question or two about detecting rooted devices. Expo does have this, but it’s not going to catch every rooted device and could also have false positives: Device - Expo Documentation
Well, all Expo apps are React Native apps. You could switch to the bare workflow by running
npx expo prebuild and then treat it as just another React Native app.
If you want to stick with the managed workflow, the same
npx expo prebuild step is run automatically during the build process on the build server (or in a temporary directory if you run
eas build --local.)
So it should, in theory, be possible to integrate any of these React Native-compatible things into an Expo app. Depending on how this integration is done in a plain React Native app it might be easier or harder to do in Expo, but it should be possible.
I think ideally you would use a Config Plugin to do the integration. Maybe in conjunction with a custom native module. Otherwise, have a look at the Adopting Prebuild docs.
See also the fully customizable builds preview.
If you find some concrete technical info, perhaps someone here or on Discord can give a better answer. Good luck!
Thanks for the info. The custom builds preview looks promising but not sure how you’d get the tool binaries onto the worker.
What I’m think might be simplest for now is building with
eas build as normal. Then in CI pipeline download the AAB/IPA files and apply the tool to create the “protected” version. Then for store submission run
eas submit but provide
--url to the new package rather than
--latest. Do you think that would work? I know there are other ways to submit to the stores but have been happy with expo/eas so far.
You should be able to do it with one of the build hooks.
It sounds like it should
Ah yes - I assumed that would need the tool to also be an npm library but of course you can run a script too - thanks!