Expanding the Attack Surface: React Native Android Applications

I am not sure if this is specific to React Native. In a regular Android application, this information is available in the JSON file. Having permissive credentials on the client is a security gap, no matter the technology.

This article highlights some security errors that are not really related to React Native:<p>1. Firebase permissions<p>That is a problem of a badly configured server, in firebase you need to write some rules that are less permissive as possible, making possible only to read what the user really needs (for example it&#x27;s own data and the data that is truly public), same for writing.<p>2. Debug files in the APK<p>The map file should not be in the APK (unless it&#x27;s an internal-only debuggable APK), webpack&#x2F;gulp can be configured to not produce that file when the target is production.<p>If you use tools that collect errors like Sentry, you can upload the map file to their servers and avoid releasing it.<p>It will not stop the attacker from obtaining your API_KEY but it will make it harder (security through obscurity).<p>Both problems are not exclusive to React Native but are shared to any app&#x2F;web-app that uses firebase.

To the author, your blog platform outputs an invalid canonical url for your content. It omits the `blog` subdomain which makes your canonical url point to a 404.

Isn&#x27;t this just security 101? Not sure what it has to do with React Native

Do people really put server keys into clients? I thought the general assumption outside of private servers is to trust nobody.