Check if you are aware of the risks and threats developers should address to prevent typical security mistakes in React Native applications.
Find details in a new Cossack Labs’ blog post or first get an appetite for it with an abstract here.
Trusting React Native platform and its components means that you understand and accept potential security consequences.
Keep in mind that:
The collaboration of backend and mobile app developers is key to produce secure mobile applications. The community around React Native platform provides common modules for platform-specific features. They help React Native developers save precious time by avoiding writing native code.
The downside is that the additional abstraction layer distances developers from app internals even further. When choosing React Native as a platform for mobile applications, you also need to accept the risk of delayed updates (compared to pure native apps) and increased MTTD/MTTR, and prepare a remediation strategy.
React Native platform is a third-party framework developed by Facebook. And who knows what Facebook code is inside The Bridge? So, adding the React Native framework means adding another party that should be trusted as well.
In addition to React Native security specifics, OWASP MASVS and MSTG should be used as a foundation of appropriate security measures in apps.
Continuous dependency scanning and patching is an essential step in Secure-SDLC and automated security testing of React Native apps. Many tools help in automating the update process (f.e. Dependabot), but manual work always remains for modules that can't be updated easily.