Security Rules

Detects sensitive data stored in AsyncStorage (tokens, passwords, credentials). AsyncStorage stores data in plaintext and is accessible to all apps with root access.

Identifies hardcoded API keys, JWT tokens, AWS credentials, and secrets in source code. These can be extracted from app bundles.

AsyncStorage storing PII (email, phone, SSN, credit card) without encryption. Required for GDPR/CCPA compliance.

Redux persist configuration without encryption transform for sensitive data.

Sensitive data copied to clipboard (accessible by other apps).

Realm database opened without encryptionKey in contexts handling sensitive data. Unencrypted Realm databases can be extracted from rooted/jailbroken devices.

SQLite databases used without encryption (SQLCipher) for sensitive data storage. Plain SQLite databases can be extracted and read on compromised devices.

Expo SecureStore configured with weak keychain accessibility options (AFTER_FIRST_UNLOCK or ALWAYS) for sensitive keys. These options make data accessible even when the device is locked.

WebView loading HTTP URLs instead of HTTPS.

Network requests without timeout configuration. Can lead to resource exhaustion and denial of service if requests hang indefinitely.

TLS version less than 1.2 or custom httpsAgent with insecure options. Weak TLS configurations are vulnerable to protocol downgrade attacks.

WebSocket connections using unencrypted ws:// protocol. Data transmitted over ws:// can be intercepted via MITM attacks.

Hardcoded IP addresses in network URLs and API configurations. Hardcoded IPs make infrastructure changes difficult and may expose internal network topology.

WebView with dangerous default configurations that can enable XSS and code injection.

WebView with JavaScript enabled loading dynamic or user-controlled content.

WebView with file access enabled - allows access to local files.

WebView without URL validation on navigation - potential open redirect.

WebView onMessage handler without origin validation.

WebView with DOM storage enabled - may expose sensitive data.

WebView with geolocation enabled - requires proper permission handling.

WebView allows mixed content - HTTPS pages can load HTTP resources.

WebView with caching enabled - may cache sensitive content.

Native module calls without input validation.

WebView loading content without proper security headers like Content-Security-Policy (CSP) or X-Frame-Options. Missing headers can enable XSS and clickjacking attacks.

Math.random() used for security-sensitive operations (tokens, session IDs, encryption keys, OTP codes). Only flagged when used in security contexts - general use like Math.random() * 100 is ignored.

OAuth/access token passed in URL query parameters - logged in browser history.

SSL certificate pinning not implemented. While this is a recommended hardening measure against MITM attacks, many legitimate apps operate securely without it. Consider implementing for high-security applications.

JWT token retrieved from storage without expiration validation.

Password or sensitive input field without secureTextEntry property.

Biometric authentication falling back to insecure methods like PIN stored in JavaScript or plaintext password. Fallback mechanisms should be as secure as the primary authentication method.

No root/jailbreak detection for sensitive apps (banking, fintech, healthcare). Rooted/jailbroken devices can bypass security controls and expose sensitive data.

Authentication/session management files without session timeout or inactivity expiry logic. Without timeouts, stolen tokens remain valid indefinitely.

Use of weak crypto algorithms like MD5, SHA1, DES, or RC4.

Encryption keys hardcoded in source code.

Custom/DIY cryptographic implementations instead of standard libraries. Rolling your own crypto is a well-known anti-pattern that leads to exploitable vulnerabilities.

Network request/response logging enabled (Axios interceptors, fetch logging). Logs may contain auth tokens, API keys, and sensitive request data.

Backend error responses surfaced directly to UI or stack traces shown in production. Error messages can expose internal system details, credentials, or sensitive data paths.

Debugger statements or __DEV__ checks in production code. Debug code exposes internal state and can bypass security checks.

Deep link handlers without proper URL validation. Malicious apps can trigger arbitrary deep links to execute unauthorized actions.

Sensitive screens without screenshot/screen recording protection. Screenshots can expose sensitive data in photo galleries and backups.

dangerouslySetInnerHTML used with potentially unsafe content. Enables XSS attacks if user input is rendered as HTML.

eval() or Function constructor used - code injection risk. Allows arbitrary code execution.

console.log() statements logging sensitive data.

Sensitive data passed in navigation params or state.

No tamper detection, checksum/signature verification, or integrity APIs (Play Integrity API, App Attest). Apps without integrity checks are vulnerable to modification and reverse engineering.

Expo OTA updates configured without code signing verification. Without code signing, OTA updates can be tampered with via MITM attacks, allowing attackers to inject malicious code.

Linking.openURL() called with dynamic/variable URLs without validation. Can be exploited to open malicious URL schemes (tel:, sms:, custom deep links).

Sensitive data (passwords, tokens, API keys) passed through React Navigation navigate() or push() params. Navigation params are serialized and may persist in navigation state.

Push notification handlers that log or insecurely store notification payload data containing sensitive information.

Expo AuthSession OAuth flows with PKCE explicitly disabled (usePKCE: false). Without PKCE, mobile OAuth flows are vulnerable to authorization code interception attacks.

Detects 27+ types of exposed API keys and secrets including Firebase, AWS, Stripe, GitHub tokens, RSA keys, JWT tokens, and more. Exposed API keys lead to unauthorized access, data breaches, and financial loss.

Environment file (.env) with secrets potentially committed to repository. .env files contain production secrets and should never be in version control.

Test credentials or example passwords found in source code (test@test.com, admin/admin, demo passwords). Test credentials often work in production or reveal credential format.

Debug or development endpoints exposed in production code (/debug, /dev, /test, /admin). Debug endpoints bypass authentication and expose internal functionality.

Redux DevTools enabled in production. Exposes entire application state including sensitive data.

Storybook imports detected in production code. Increases bundle size and may expose component internals.

Source map reference in production bundle. Source maps reveal original source code including comments and logic.

android:usesCleartextTraffic="true" in AndroidManifest.xml - allows unencrypted HTTP.

android:debuggable="true" in production manifest - allows debuggers to attach.

Exported Android component without permission protection - other apps can access.

Broadcast receiver without permission protection - any app can send broadcasts.

android:allowBackup="true" - app data included in cloud backups.

Overly permissive intent filter may expose unintended functionality.

Android Keystore configuration without StrongBox, user authentication, or using weak block modes like ECB. Insecure Keystore usage weakens encryption and key protection.

Files written to external storage, shared directories, or without encryption. Externally stored files are accessible to other apps and users.

Android permissions declared but not used in code. Unnecessary permissions raise privacy concerns and user distrust.

Android activities with custom taskAffinity attribute, which enables StrandHogg task hijacking attacks. A malicious app can set the same task affinity to intercept the activity.

WebView remote debugging left enabled without a build-type guard. Allows attackers with physical access to inspect and modify WebView content via Chrome DevTools.

Android manifest without network_security_config.xml reference for apps using internet permission. Without this config, the app cannot enforce certificate pinning or restrict cleartext traffic per-domain.

App Transport Security disabled via NSAllowsArbitraryLoads - allows insecure HTTP.

ATS exception allows insecure loads for entire domains unnecessarily.

Missing usage descriptions for privacy-sensitive permissions (Camera, Location, etc).

Potentially unnecessary background modes enabled - privacy concerns.

Universal links configured without proper validation.

Custom URL scheme without validation code - any app can open.

Keychain access group configuration may expose data to other apps.

Keychain items using kSecAttrAccessibleAlways, missing kSecAttrAccessControl, or no biometric/passcode protection. Always-accessible keychain items can be extracted without user authentication.

Sensitive data written to the iOS pasteboard (clipboard), which is shared across all apps. On iOS versions before 14, any app can silently read the pasteboard.

Sensitive apps without protection against iOS app snapshots. iOS captures a screenshot when the app enters the background for the app switcher, potentially exposing sensitive data.

Potentially dangerous permissions in app.json. Overreaching permissions raise privacy concerns.

JSON.parse on untrusted input, eval-like dynamic object construction, or native deserialization without validation. Can lead to code execution or prototype pollution attacks.

Expo updates URL configured over insecure HTTP in app.json. HTTP update URLs allow MITM attackers to inject malicious code via OTA updates.

Sensitive values (API keys, secrets, passwords) hardcoded in app.json configuration. These values are bundled into the app binary and can be extracted.

App requests more permissions than necessary. Privacy concern, users may decline installation.

Known risky SDKs detected such as session replay tools or ad SDKs in sensitive apps. Some SDKs collect excessive data or introduce security vulnerabilities.