To Obfuscate or Not Obfuscate (React Native)

Protecting Your React Native App's Intellectual Property: Using Hermes and JavaScript Obfuscation

Let's just jump to the point.

Code obfuscation is a software development process that makes source or machine code more difficult for humans or computers to understand.

This does not protect your app from being reverse-engineered. Someone with enough time, resources, or dedication can reverse-engineer your app.

NEVER include secrets on the client-side app, even if it's obfuscated.

So in the world of React Native, should you obfuscate your code?

To answer this question we have to first understand how React Native works. Your Javascript code will contain all your business & app logic. It runs and communicates with the native level through the "bridge." When something changes, the Javascript side sends a message to the native side telling it to update the UI, interact with the camera, etc...

Hermes

When it comes to your JS code, should you obfuscate it? If you're running the hermes engine, no. This is because hermes inherently obfuscates your code by compiling your JS to optimized bytecode ahead of time. This should be enough to deter reverse-engineering.

If you're not running the hermes engine and your JS code is included as plaintext in the APK, maybe you should consider switching to hermes.

Proguard / R8

Should you enable proguard / R8 to obfuscate the native code? In the React Native world, you shouldn't be worried about IP theft of the native code since there's likely little going on here -- barring some heavy proprietary native customization.

Now, should you enable proguard / R8 for the minification benefits? Up to you. If your app is big, this might be worth it. Just know that it comes at the cost of making debugging more difficult / viewing crash logs, etc... It also might break your app if you're using 3rd party libraries that may introduce regressions.

For most React Native apps, the critical logic is in JavaScript, but some native modules might still benefit from obfuscation if they contain sensitive logic.

TLDR

If you're concerned about IP theft, using the hermes engine should be enough. If you have proprietary native logic, consider using proguard / R8 while understanding the drawbacks. If your app is large, consider proguard / R8 for its minification capabilities.

Finally please feed the algorithm and give me some feedback if my post helped you 🙏!

Follow Me

Check out my other articles and projects!

• Expo Pod Pinner
• Perplexity SDK
• Fitness Blog