Mobile apps face a unique security challenge: your code runs on devices you do not control. Users can decompile your app, intercept network traffic, and run it on rooted devices. Here is how to protect your app and your users' data.
Secure Storage
Never store sensitive data in AsyncStorage or SharedPreferences. These are plaintext storage on both platforms. API tokens, user credentials, and encryption keys belong in the platform keychain.
iOS Keychain / Android Keystore. Use react-native-keychain (React Native) or the native Keychain Services / KeyStore APIs. Data stored here is encrypted at the hardware level and protected by the device's lock screen. This is where your authentication tokens, refresh tokens, and any sensitive user data should live.
Encrypt local databases. If your app stores data locally (SQLite, Realm), enable encryption. SQLCipher for SQLite adds AES-256 encryption with minimal performance impact. An unencrypted database on a stolen or rooted device exposes all user data.
API Security
Use short lived tokens. Access tokens should expire in 15-60 minutes. Use refresh tokens (stored in keychain) to obtain new access tokens. This limits the damage if a token is intercepted, the attacker has a narrow window before it expires.
Certificate pinning. Pinning your API's SSL certificate prevents man in the middle attacks even on compromised networks. In React Native, use react-native-ssl-pinning or TrustKit. Pin to your certificate's public key, not the certificate itself, this survives certificate renewal.
API key protection. Never embed API keys for third party services (Stripe, Firebase, analytics) directly in your app bundle, they can be extracted in minutes with basic tools. Use your backend as a proxy for sensitive API calls. The client authenticates to your backend, and your backend makes the third party call with the real API key.
Network Security
Enforce HTTPS for all connections. On iOS, App Transport Security (ATS) enforces this by default, do not disable it. On Android, configure a network security config that blocks cleartext traffic. Any HTTP connection can be intercepted on public Wi-Fi.
Do not trust the client. Every security check must happen on the server. Client side validation, access control, and business logic can all be bypassed by a modified app. If your app checks whether a user has premium access before showing a feature, that check must also happen on the server when the API is called.
Request signing. For high security applications, sign API requests with a timestamp and HMAC. This prevents request tampering and replay attacks. The signing key should be derived from the user's session, not hardcoded.
Code Protection
Enable ProGuard (Android) and bitcode (iOS). These obfuscate your compiled code, making reverse engineering harder. Not impossible, a determined attacker will always win, but obfuscation raises the effort bar significantly and stops casual attackers.
Do not hardcode secrets. No API keys, no encryption keys, no admin URLs in your source code. Use environment specific configuration loaded at build time. Run tools like truffleHog or gitleaks in CI to catch accidental secret commits.
Jailbreak and root detection. For apps handling sensitive data (fintech, healthcare), detect jailbroken/rooted devices and limit functionality. Libraries like jail-monkey (React Native) provide basic detection. Determined users can bypass this, but it stops casual abuse and satisfies compliance requirements.
Third Party SDK Security
Your app is only as secure as the SDKs you include. Third party libraries are a common attack vector.
Audit every SDK. Before adding any SDK, check: what permissions does it request, what data does it collect, does it phone home to third party servers, and is it actively maintained? Analytics SDKs in particular are notorious for collecting more data than documented.
Minimize SDK count. Every SDK increases your attack surface. We have seen apps with 30+ SDKs where half were unused or redundant. Review quarterly and remove anything that is not actively needed. Fewer dependencies means fewer vulnerabilities.
Monitor SDK network traffic. Use a proxy tool (Charles Proxy, mitmproxy) to inspect what data your SDKs send over the network. We have found analytics SDKs transmitting device identifiers, location data, and contact lists without explicit user consent, a violation of both App Store policies and privacy regulations.
Pin SDK versions. Do not auto update SDKs in production. A compromised SDK update (supply chain attack) can inject malicious code into your app. Pin specific versions, review changelogs before updating, and run security scans on every dependency update.
The OWASP Mobile Top 10
Prioritized for startups building with React Native:
1. Insecure data storage, use keychain, encrypt databases (covered above)
2. Insecure communication, HTTPS everywhere, certificate pinning
3. Insecure authentication, short lived tokens, biometric auth, server side validation
4. Insufficient input validation, validate all inputs server side
5. Insecure authorization, check permissions on every API call, not just the UI
The remaining five (code quality, code tampering, reverse engineering, extraneous functionality, insufficient cryptography) matter but are lower priority for most startup apps. Address the top five first.
Practical Implementation Timeline
Week 1: Migrate sensitive storage from AsyncStorage to keychain. Set up HTTPS only networking. Implement short lived tokens with refresh flow.
Week 2: Add certificate pinning. Remove hardcoded secrets. Enable ProGuard/bitcode. Add secret scanning to CI.
Week 3: Implement server side authorization for all API endpoints. Add jailbreak detection if required by your use case. Security audit and penetration test. Run automated security scanning with tools like MobSF (Mobile Security Framework) to catch common vulnerabilities before they reach production. Document your security architecture for compliance reviews and team onboarding.
For GameLootBoxes, we implemented all of these from day one, handling payments and real money transactions demands it. The same patterns apply to any app handling user data, which is every app. Check our App Store approval guide for how security practices affect review outcomes.
Our mobile development practice builds security into every app from the architecture level. The cost of adding security later is 5-10x higher than building it right from the start.
Need a security review of your mobile app? We will find the gaps before attackers do.