[Software Security] How does CodePush authenticate apps?

[zj-lin-zj]

For security reasons, how does CodePush authenticate the app that it's sending the bundle to? That is, does any app with the key receive the pushed js bundle? If so, it will pose a security risk as the key is stored in plaintext and can be leaked at the client app side.

Additionally, I am also curious where CodePush stores the downloaded js bundle. When I checked the app folder in Android, I wasn't able to find any downloaded bundle there. Reason to ask this question is whether the downloaded bundle is securely stored.

Thanks!

[richardhuaaa]

Hi @ACCTFORGH, yes - any app with the key can receive updates. I don't agree that it's a security risk though - the deployment key only gives read access to the latest updates explicitly released on a deployment, and hence it's only as secret as the source is. If you have a copy of the app, and the capability to reverse engineer it to get its deployment key, then you have the same reverse engineering capability to get the source, and the deployment key doesn't give you anything on top of what you already have (you could just keep getting updates on your copy of the app and then reverse engineering it to get the source). Does this make sense?

I gather that you're primarily concerned about keeping your source code secret from people who have downloaded your app. In this case, I believe this is not supported by React Native itself - see this discussion: facebook/react-native#1093. As mentioned in that issue, code on the client is not secret - you should aim to keep any sensitive information on the server.

Regarding your other question, CodePush stores the downloaded js bundle in the Android assets folder, so it's only as secure as the Android assets system is. Again, if your goal is to hide your source from people who have already downloaded a copy of your app, I'm not sure if React Native is the right platform for you (if it's even achievable on any platform).

[zj-lin-zj]

@Silhouettes Thanks for the reply. Yes, I think what you said makes sense. Some more sophisticated obfuscation from React Native side would be helpful to enhance security.

[richardhuaaa]

@ACCTFORGH, thanks for that! I'm going to close this now, but please feel free to ask any additional questions.