How react-native-config make my life easier to steal secret keys of your React Native Application

1) First, you need to find out an applicationId of app. It easy to use a Google Play website, just search and copy id in the browser

2) The next step will be downloading a .apk file (for example using an apk-downloader website)

3) Finally, open that .apk in Android Studio (Build => Analyze APK...) then need to find resources.arsc and select string in the resource types panel

You should see something like that:

---

Keep in mind this module doesn't obfuscate or encrypt secrets for packaging, so do not store sensitive keys in .env. It's basically impossible to prevent users from reverse engineering mobile app secrets, so design your app (and APIs) with that in mind.