Jed Bartausky:

Welcome back to another episode of the React Native Radio Podcast. Episode 366, securing React Native apps in an AI era.

Mazen Chami:

So Robin, how's your day been?

Robin Heinze:

Well, I went to the dentist this morning, Mazen, so interpret that how you will.

Mazen Chami:

Is your mouth numb or?

Robin Heinze:

No, it wasn't a filling. It was just a cleaning. But anytime I even get a cleaning, the rest of the day I'm just extra aware of my teeth and they're kind of gritty and my head hurts a little bit from them doing stuff in there. It's just not how I want to start my day.

Mazen Chami:

Yeah. You almost don't want to eat anything or drink anything. Just keep them super smooth.

Robin Heinze:

Super smooth, polished.

Mazen Chami:

Yeah. I'll

Robin Heinze:

Never eat anything again.

Mazen Chami:

No, I hear you.

Robin Heinze:

Yeah.

Mazen Chami:

I have the craziest thing. I don't even know how long it's been. I missed my ... You supposed to go every six months. I missed my six month one because it lined up with a snowstorm that we had. And for anyone that lives in the south when you get a snowstorm, everyone is shut down and everyone's trying to catch up for years almost. It feels like. I missed it by so much. I called them back to reschedule and lady was like, "Okay, okay. You might as well just reschedule it for your one year gap because I have nothing in between." So I was like, okay,

Jed Bartausky:

Cool.

Robin Heinze:

So you just completely missed that.

Mazen Chami:

Yeah. And there's no way of making it up unless I switch dentists, which I'm not planning on doing it or anytime soon. So that's my story. I missed my six month.

Robin Heinze:

Did anything happen though? Did you have a bunch of cavities when you came back?

Mazen Chami:

I have not gone to the six month though. Oh,

Robin Heinze:

You

Mazen Chami:

Haven't gone back? I haven't been gone yet. It's in I think either late June or early July.

Robin Heinze:

Okay, listeners. So we'll report back when he finally goes back to the dentist and has to get six fillings because he missed one cleaning appointment.

Mazen Chami:

You know what? What's funny is I love my toothbrush and every time I go to the dentist, they're like, "You have a good toothbrush." They literally say that to me.

Robin Heinze:

Wait, what's your toothbrush?

Mazen Chami:

Quip, Q-U-I-P.

Robin Heinze:

Not sponsored.

Mazen Chami:

Not sponsored. But if they want to sponsor, they can start into my DMs.

Robin Heinze:

Are we going to become influencers?

Mazen Chami:

I would do. No? I would do one.

Robin Heinze:

Well, you can have our discount go with Quip toothbrushes.

Mazen Chami:

Yeah. Quip. Hit me up. Oh,

Robin Heinze:

That's cool. I've heard of them. It's small and it's like a subscription, right? So they send you-

Mazen Chami:

You can do something. Yeah. They send you the heads and all that. They have more than just toothbrush brushes. I convinced my wife to finally get off her regular handheld old school toothbrush because I'm like, "You definitely brush too hard. Use one of these." So I got her hers. It actually arrived today. Believe it or not. It's funny how all this is lining up. It arrived today.

Robin Heinze:

Okay. As someone who still uses an old school manual toothbrush as you put it.

Mazen Chami:

I'll send you my information.

Robin Heinze:

What's the difference? Why is it better?

Mazen Chami:

One, it's the whole, I guess because I'm ADD or whatever, it's two minutes. It stops vibrating at every 30 seconds so you know to move to the next quadrant of your mouth. And if you are pushing too hard, it'll just stop vibrating and like stop.

Robin Heinze:

Stop.

Mazen Chami:

Yeah. It'll judge you for your brushing kind of thing.

Robin Heinze:

Do you have the regular one or is it like the sonic one?

Mazen Chami:

So I had the regular one. They call it the sonic toothbrush I had. I'm

Robin Heinze:

Looking this up.

Mazen Chami:

Yeah. I moved to the oscillating toothbrush with circular head. I just got that a month ago. I don't mind it. And I got my-

Robin Heinze:

Would you want to go back to the sonic one?

Mazen Chami:

I would probably go to the ultra light sonic one.

Robin Heinze:

Oh, that looks new.

Mazen Chami:

And I will say, I would recommend you go. If you're looking to get one, get the ultra light sonic one. And while you're at it, they have whitening strips, haven't tried it, flossers haven't tried it. What I have tried from them and actually ran out. I'm flying out on Monday, but I ran out too late. They have gum, which is actually pretty good gum. Just mint gum. Do they still have it? Wow. I'm on their website. I don't even see it anymore.

Robin Heinze:

Maybe I'll have to try a Quip toothbrush.

Mazen Chami:

Yeah, I don't see the gum on here anymore, but they used to have gum.

Robin Heinze:

You know what? We'll put it in the show notes just for fun. I don't think you can get in trouble for giving somebody free advertising.

Mazen Chami:

No, but hey, quip, reach out.

Robin Heinze:

Just like maybe throw us a discount code or something. Anyway, I'm sure the people who are listening right now definitely tuned in to hear us talk about teeth.

Mazen Chami:

Yes, they did.

Robin Heinze:

So we're going to disappoint them and talk about React Native instead, but first-

Mazen Chami:

Sure, let's do

Robin Heinze:

It. We should probably hear from our sponsor. So let's do that now.

Jed Bartausky:

Infinite Red. Infinite Red is a premier mobile app consultancy focused on Expo and React Native. We're a team of 30 that's located fully remote in the US with highly experienced mobile app developers. And we've been doing this for over a decade. We're also one of the first development teams to adopt agentic coding in a way that keeps high quality standards while also being able to dive in and do things the old school way if we need to. If you are looking for mobile app, expo or React Native expertise for your next project, hit us up at infinite.red/contact. Thanks. And now back to the episode.

Mazen Chami:

Okay. Let's get into our topic for today. I think we're going to carry on the AI bandwagon that we've been talking about recently.

Robin Heinze:

Everything is a little bit of AI sprinkled on top these days.

Mazen Chami:

That's actually interesting. Oh yeah, my agent's done doing what I asked it to do on that random app that I told you all I was building.

Robin Heinze:

New world that we're living

Mazen Chami:

In. Yeah, right.

Robin Heinze:

But yeah, we're talking about specifically securing React Native apps in the AI era. And we say in the AI era because Mazen, I don't know about you. To me, it feels like there's just been one security incident after another in the past six months to a year. They feel like they're happening so much more frequently with so much higher severity these days. Do you get that sense too?

Mazen Chami:

Yeah. I don't even watch the news anymore because I'm trying to keep up with all these AI attacks.

Robin Heinze:

It honestly is starting to feel like we need to be security experts in addition to being React Native devs

Mazen Chami:

Because

Robin Heinze:

I had to do research to even understand what some of these attacks were and how they worked and what happened and what the threat was and all of this stuff. And it's just like to keep doing my job, this keeps happening. And so yeah.

Mazen Chami:

They're deep. Some of these will get into them. They're like deep bugs.

I don't want to jump ahead, but we'll get to that in a little bit. But the crazy thing about AI is not only is it making us move faster, so our velocity is improving or increasing because you could do ... Git worktrees were powerful as it was, but you could only technically work in one worktree at a time because you're one person, but now you can spin up multiple code agents and have them work in different worktrees and solve different problems at the same time. And when they're done, you come back in, right? But then as part of that, attackers are also just as fast, if not faster too, because now they have more time on their hands to figure out all those back doors or that other ways of hiding things. And the crazy thing is, do you remember recently Anthropic announced they're releasing ... They created a model, I believe it was Anthropic.

They created a model that's so powerful they're not releasing it.

Robin Heinze:

No, I

Mazen Chami:

Missed that. Yeah. So they announced they're releasing a model, but not to the public. They're giving it to Google. They're giving it to Microsoft, IBM, I believe, giving it to those larger companies and be like, okay, people, this is what we created. Lock your stuff down before we release it to the public and figure out where all those back doors are so that we can, if we do release it to public, the attackers and all them hackers don't have a field day with it because it makes it that much easier for them.

Robin Heinze:

That's crazy. I mean, in the before times, I'm talking a year ago, that's so trippy. We're talking about the before times and it really hasn't been that long, but a bad actor, somebody who wanted to steal, steal, lie, whatever, hack into stuff to do bad things. They also had to be a incredible programmer in order to pull off a cyber attack. Now they just have to have tokens and make the AI who doesn't have morals, ethics, whatever, do it for them. And I think that's probably contributing to why we're seeing so many more of these things. And also there's so much more software out there that's vibe coded and probably has holes in it that a human didn't

Look at or notice. So it's a whole thing. Theo tweeted out a whole list of all of the security things. So he tweeted this out on May 12th and he said, these are security things from the last few days, copy fail, copy fail two, 13 advisories in Next.js, 70 CVEs addressed in macOS 26. This is a list of 10 or 12, 13 things just in the span of a couple days. Now you could argue that some are not as bad as he's making them sound. This is fear-mongering, whatever. But I mean, it's just true that there's all these things sort of happening more frequently now. Primeagen says he's not worried. I did a whole Twitter deep dive on what people were saying. This was specifically after the TanStack attack, which we'll talk about in a second, but a lot of people were weighing in.

Primeagen says he's not worried. Control what you can. Don't stress too much. I think there may also be sort of the plane crash effect, which is something that's what I would call it, but it's like when there's a really bad plane crash in the two or three months following it, it feels like there's a plane crash every other day in the news. And really it's just that there was a big one and now we're all kind of keyed in and thinking about it and digging up every little Cessna that crashes in the middle of Missouri, which would ordinarily not even make the news cycle. There may be some of that happening. We're looking for these things where we maybe weren't before and maybe some of them are not as catastrophic as people are saying they are.

Mazen Chami:

Yeah. And one thing I want to nitpick on what Primeagen said was control what you can. I don't think you can control what you can and what you don't know you can kind of thing because okay, we're talking about these incredible hackers, right? I think I even watched a movie about it a long time ago where this hacker hacked into the US government and then they hired them to work for the CIA. That's kind of how it all works out kind of thing and all that. And even the famous hacker, what do they call it? Anonymous, I think, hacker group. No one knows who they are. Now they have AI and they were able to hack into North Korea and the US government and leak documents and stuff like that. So they're able to do all that. You give them AI, then what? Okay. And we say control what you can.

It's hard. It's scary. And now's probably the time to buy a farm and go live off grid if you want to until things settle down and you can kind of come back maybe at some point. Not

Robin Heinze:

A bad idea. Really not a bad

Mazen Chami:

Idea. Farmer- I

Robin Heinze:

Know nothing about farming. What could go wrong?

Mazen Chami:

Farmers could be making a comeback. I'll just say

Robin Heinze:

That. Yeah. I mean, until our robotics technology advances quite a lot, I think farming is a pretty safe industry from AI. I did just read the Wild Robot series with my daughter, which is all about a distant future where robots do everything including farming and stuff. And they talk about the old days when horses and humans and stuff. But yeah, farming is probably-

Mazen Chami:

AI isn't farming apparently. I saw an ad recently. I think IBM is doing some- Oh

Robin Heinze:

My

Mazen Chami:

God. AI was fun. Of course

Robin Heinze:

It is.

Mazen Chami:

I think what they're trying to do is to help farmers get the best out of their crop and- Yeah,

Robin Heinze:

I

Mazen Chami:

Can see that. ... environmental factors weighted and stuff. All that makes sense. I get that. But no, farmers before AI worked just as fine, but yeah. And then you have the robots, the Tesla. Is it Tesla robot that can fold laundry for you? That's my job. So hopefully it doesn't take that away from me.

Robin Heinze:

I feel like you'll be okay.

Mazen Chami:

Yeah, right. Well, let's move into the TanStack one. The TanStack one was a little bit scary because everybody uses TanStack. I mean, I use TanStack on every single project. I still recommend everyone use TanStack and even Tanner was on the episode-

Robin Heinze:

Right. We had them on the show just a couple months ago. It felt very, very real, very close to home, that one.

Mazen Chami:

Exactly. I think. Yeah. And if anyone followed along Tanner and even just in their Discord or on Twitter, they handled it great. They even had a postmortem about it. They took care of it. I mean, it was hard to catch because it had signed commits. Signed commits are usually something that you start off on a project. Whenever we have a client that's big security conscious, they're like, "Oh, your commits need to be signed." Well,

Robin Heinze:

They were doing everything that they thought they were supposed to be doing to prevent something like this. They had two factor authentication turned on across the board for their NPM account and everything. They had lock files, they had signed commits. Like you said, they were using pnpm, which has recently been thought of as the silver bullet, like, "Oh, just use pnpm. Just use pnpm." But in this case, it actually seems like that didn't help.

It was actually cache poisoning that was the problem, which may have actually ... pnpm uses a shared global cache for installs, which is why it's a lot faster than NPM. So it may have actually been a factor, but it's scary to ... It's unsettling for these people who were doing everything that they were supposed to be doing and to have this still happen. Yeah, that's I think why a lot of people were affected by that. But let's talk about what actually happened, which is that in their GitHub Actions there was a pull request target trigger, which was run when a fork ... A pull request was made from a fork, but because it was pull request target instead of pull request, it ran the job with the base repo's permissions instead of the sandbox, the

Mazen Chami:

Forks

Robin Heinze:

Limited read only. And from what I read, the reason that exists is to let PolarQuest be able to do more helpful things like adding comments and tags and stuff automatically, which they wouldn't otherwise be able to do. But apparently, this pull request from a fork with malicious code in it ran against the base repo's permissions, grabbed an auth token or something from the cache or from the runner history.

Mazen Chami:

From the

Robin Heinze:

Action. Yeah. And then used it to poison all of the other NPM packages in the TanStack ecosystem. And then of course people downloaded them. It was detected within 20 minutes

Mazen Chami:

From what I read. Yeah. And that's the thing, right? They attacked TanStack, which has one of the largest download rate because they have so many packages within the stack. So you're downloading a lot. And even if you think about it, you could just also be doing pnpm install and most of the time if you have your caret, it'll just pull the latest version of it and then you have that. And yeah, I remember even reading, it was definitely about this one, I think, where what they did was they were listening to your GitHub token. So you have your GitHub token within your machine and if you revoked it, they had some sort of listener against it. And if you revoked it within a couple seconds, it just basically did rm -rf and just cleared your machine for you. It had that dead man, which just

Robin Heinze:

Killed

Mazen Chami:

You- It's just

Robin Heinze:

Evil.

Mazen Chami:

Yeah. They were like, "Don't do anything with your token so we can keep doing all this malicious stuff. In the meantime, we're going to monitor you.

Robin Heinze:

" It robbed you of your ability to protect yourself or punished you for protecting yourself after you discovered it, which is just wild. It's hard to believe there's people that are in the world and that bad. So like I said, it sounds like it was detected within 20 minutes by a security researcher. All the versions are deprecated, pulled all the tarballs from NPM, but if you had downloaded in those 20 minutes, you probably would've been impacted.

Mazen Chami:

So let's move on to the next other incidents because let's just go ... So yeah, this was May, and we're recording this in May. Another incident that also happened in May. Again, that's two big incident size incidences, however-

Robin Heinze:

Right. TanStack was the most recent major one. And then just this week-

Mazen Chami:

GitHub.

Robin Heinze:

After we had prepped all our notes for this episode, then after that, this GitHub breach happened.

Mazen Chami:

And this one just attacked multiple repositories. They said something about 3,800 of them were compromised. VS Code extensions were poisoned and stuff like that. I think we even Jamon had us go through all our-

Robin Heinze:

Oh yeah, our VS Code.

Mazen Chami:

VS Code- Extensions.

Robin Heinze:

Which is probably not a bad idea.

Mazen Chami:

It's nice to have an audit every now and then. Yeah. It's crazy that this is what prompted that.

Robin Heinze:

Well, it's crazy because GitHub is owned by Microsoft and VS Code is owned by Microsoft. So it's like Microsoft just supply chain attacked itself.

Mazen Chami:

Exactly. Yeah. I got rid of 16, so there goes that. But a lot of them were ... As I was deleting them, I was like, okay, why did I have this one installed in the first place?

Robin Heinze:

There's so many that I installed thinking they would be helpful. I was just like, oh, this sounds cool. Install. And then probably never used.

Mazen Chami:

Yeah. And sometimes you install that just for one thing. I installed ... What did I have? I had a C one and I think I remember that was because I did one C thing once and I needed to help with it sort of thing.

Robin Heinze:

I have a bunch of C++ ones, which can sometimes come in handy if you're digging into React Native source coded stuff. I like random tag closers and colorizers. And I had one called GoToNode modules, which just sends you into the Node Modules folder for a particular import. It's just random stuff like that.

Mazen Chami:

Yeah. And okay, you ready? I think internally at Infinite Red, I won't name names, but someone went from 53 down to 15.

Robin Heinze:

Dang. Wait, now I'm going to go look at who that was.

Mazen Chami:

And that's a lot, right? It's a lot.

Robin Heinze:

Depending on who it is, I will name names. No, okay. I won't name names.

Mazen Chami:

It's a lot. And someone else went down from, was it 49?

Robin Heinze:

49 to 18.

Mazen Chami:

18, right? So audit them. And here's the thing for everyone out there, I think one good practice is we'll get to more practical stuff later, but since we're talking about GitHub and VS Code specifically here, audit your extensions frequently. And

When it comes to GitHub tokens, one thing that you could also do is set a reminder to rotate your token every so often. Now, yes, there is the off chance that you rotate your token and the attack happens halfway through your cycle before you rotate it. What are you going to do? You just rotate it again at that point. So there's that. Now if we continue, we're going to skip April, March something hit close to home. We had two React Native packages that were compromised pretty bad and that was React Native international phone number and React Native Country Select.

Robin Heinze:

Yeah. It was a pre-install hook.

Mazen Chami:

Yeah. Smaller packages. Some people have them within it. They hit dev machines, they hit the CI malware malware, which is harder to take down. It kind of happened, but we also know the maintainer did take account take action quickly and he republished three. It was crazy to see. The maintainer was trying to fix the issue while the attacker was just bouncing off of what the maintainer was doing. So the attacker hit it republished three times.

Robin Heinze:

Republished three more times in 48 hours. Exactly. So it doesn't compute to me. Why is it so important to them to be mean to the rest of us?

Mazen Chami:

And it's big, right? This is 135K combined monthly downloads for these two packages. They're in React Native. I think I even had an older project that was using Country Select at one point. It's crazy to me that the attacker was just kind of monitoring it and the maintainer fixed it and they're like, "Nope, here you go. Nope, here you go. Nope, here you go. " I'm just like, "No." But again, the nice thing about the open source community that we're at, people flagged it quickly and it was being able to take care of fairly fast.

Robin Heinze:

So there was also one in React Native itself where I guess specifically Metro. It was a critical vulnerability and was actively being exploited. Essentially, Metro exposes this open URL endpoint and the attackers were doing command injection with that endpoint without any auth required. And it meant that a bunch of Metro servers were exposed on the internet, which is a direct path into a dev machine. So that's really not a good thing because you can get into someone's dev machine and there's source code and environment variables and network access and all this stuff.

Mazen Chami:

Tokens and stuff. Yeah.

Robin Heinze:

So you really don't want your Metro server to be open to the wider internet. So that was a bad one and it was obviously patched right away, but it affected the CLI server API package from React Native Community. The vulnerability was there from version 4.8 to version 20. So the vulnerability had been there for a really long time and then attackers started exploiting it, which is when they fixed it. So version, sorry, it affected 20 alpha two. So version 20 stable, it's fixed, but oh man

Mazen Chami:

This is the scary one, right? Getting the full access into your machine. And that's also something that I worry about a lot whenever I'm trying to optimize life. Claude is so powerful and I'm like, "What are ways it can work?" And I'm like, "Oh, what if I give it access to my Gmail?" And then as part of that, access to my calendar and help me put up a dashboard for my family and kind of set things up. I've talked publicly on here about Skylight and how great it is for our family. That's one way of also improving that and getting things more optimized. But then I'm like, "No, I'm not going to give Claude access to my email." If it's

Robin Heinze:

Easy for you, it's easy for bad actors

Mazen Chami:

Too. Exactly, exactly. And then also access to your machine is also a tough one.

Robin Heinze:

We all need to start living our life like Mark. If you guys remember Mark Rickert, we've had him on the podcast a couple times, but he is famously very, very, very careful with his personal data to an extreme degree. He has private network in his house, all of his financial data and everything he has a private server for. He's pretty extreme, but you know what? I don't blame him and maybe we're all going to go down with the ship and he's going to be standing on dry land saying-

Mazen Chami:

Told us. "I was right."

Yeah. And this actually reminds me, I don't know if this would be one that would be helpful for this kind of vulnerability, but there's something I came across a while ago. I never got to really install it, but I remember looking into it like, this could be a good one. There's agentsafehouse.dev or something like that out there and the idea of it is it basically creates almost like a pre-commit type hook for your agents. Whenever your agent wants to do something, it has to go through this agent safe house and the agent safe house will let it give it permission or not. So it's pretty cool. You can go, what is that? YOLO. You can do YOLO command, but then be safe about it. And you know how you can now have it control your machine and stuff like that? This is a safe guard, safe house.

So you can let it do all that but then still not be a bad actor within it. This is another thing.

Robin Heinze:

Yeah.

Mazen Chami:

Okay.

Robin Heinze:

Okay. So all this stuff is scary, unsettling, all the things. What can we control? Like Primeagen said, control what you can. I know you said he was wrong. We can't control anything, but there are some things I think that we can do to limit our vulnerability to these things that are going to happen and we might as well protect ourselves the best we can. Dependencies are obviously a huge vector that most of these things are happening through because it's basically like you're just trusting that code that someone else wrote, you're going to come in and run it on your machine and you're trusting that it's fine. So yeah, that seems like a huge vector. If you can not use a dependency if it's at all possible to roll your own, write your own library, whatever you need instead of installing something from NPM, maybe we start reaching for that option where we can, especially now that it's a lot easier to have an agent write you up a little dropdown library instead of finding one on NPM, that kind of thing.

The more you can just not use a dependency if you can help it, we'll protect you to some degree.

Mazen Chami:

And on the dependency side, I know this is probably more expensive for the smaller companies out there, but use something like JFrog or something, self-host your own registry.

Robin Heinze:

Self-hosted registries.

Mazen Chami:

Yeah. Delay when those updates come in. This might be jumping ahead a little bit, but setting your minimum release age for those to a specific maybe say three days or something.

Robin Heinze:

I feel like that's huge. Yeah,

Mazen Chami:

That's a big-

Robin Heinze:

Because I mean all of the major attacks that we just talked about, the TanStack, the GitHub breach, everything, they're usually discovered within a day. So if you're setting your minimum release age to 24 hours, you've already protected yourself against 90%. I'm making that percentage up, don't quote me, but you've already protected yourself against the vast majority of these kinds of attacks. It's not a perfect solution, but it does help.

Mazen Chami:

And if you push it up to seven days, you can almost be like, "All right, it's probably not going to come from my dependencies sort of thing." Yeah, delay those updates. These self-hosted registries do some reviews on them. They give you that protection from your

Robin Heinze:

Dependency. Right. They're running detection software and stuff on packages before they're allowed to come into the protected registry.

Mazen Chami:

But they're expensive.

Robin Heinze:

They are. I mean, it's kind of an option that's only available in a corporate enterprise environment where you have the money and resources to do something like that. But even if you can't access a third party registry, the very least you can do is set your minimum release age to 24 hours or even 48 hours. Why are we in such a hurry, guys? We don't need to install the latest thing. We can wait 48 hours. We can wait more than that. It's fine. We just could just chill a little bit. That's free. Sending your release age to a higher number is free. There's also a The third party security vendors like Snyk is one that I've used that routinely scan your project and its dependencies for bad stuff. So that's another little piece of mind thing. These are the things we control. We can't control bad people who decide to do bad things.

Mazen Chami:

And like we said earlier, pull request target, make sure you don't have- Oh yeah.

Robin Heinze:

Don't use pull request target in your GitHub Actions workflow. Yeah.

Mazen Chami:

And then as we like- This is what we've learned. So that's high level stuff. Do everything you hear about your agents, I mentioned Safehouse for your machine and all that and everything we just mentioned. Now within your React Native application, there's a couple things you can do.

Robin Heinze:

And these are the same things that have been recommended for years.

Mazen Chami:

Right. Yeah. We even did an episode on this one a long time ago. This

Robin Heinze:

Is standard stuff, but it's a good reminder.

Mazen Chami:

Secure storage. Don't use AsyncStorage or MMKV. MMKV does have encryption within it that you can add, but for sensitive data, for the sensitive data, use React Native Keychain or Expo Secure Store. That's more secure. It's more secure, believe it or not, than your .env file. That is not secure.

Robin Heinze:

Your .env file is not secure at all.

Mazen Chami:

It's in their binary, easy to pick up.

Robin Heinze:

This is something I didn't know for a long time. The concept of ENV is a server side concept. It is something that is intended to be used by a server side application. So it's running in a box that nobody can see, not in a client side application. In

Mazen Chami:

A client side

Robin Heinze:

Application. And I don't know why people think of mobile apps as more secure client side applications than browsers. Just because you get pop open the DevConsole and inspect it doesn't mean it's not possible to break it open and see what's inside. It's very, very possible. .env. It's convenient, but it is not secure. Don't put your secrets in there.

Mazen Chami:

Yeah. Yeah. And then there's tools out there. There's a IPA tool, CLI command that you can install on your machine. You can use that to download any iOS app onto your machine and then just search it.

Robin Heinze:

Rifle through it.

Mazen Chami:

Yeah.

Robin Heinze:

See what's in there.

Mazen Chami:

Exactly. Yeah. Don't

Robin Heinze:

Put secrets in your app.

Mazen Chami:

Yeah. All it does is inject your ENVs or what you call secrets into your bundle. That's it.

Robin Heinze:

Right. If there's secret tokens that you need, they should be stored on a server and you fetch them with an authenticated API request.

Mazen Chami:

Another one, SSL and TLS pinning, especially if you're calling APIs.

Robin Heinze:

Right.

Mazen Chami:

Yeah.

Robin Heinze:

It just makes sure your client application can only hit a predefined or a predetermined server. You can only hit that specific server at that specific address, otherwise it won't work.

Mazen Chami:

They basically, you almost like it's a handshake. You tell each other that, "Hey, you know me, I know you, and we're the only ones that can communicate with each other," sort of thing.

Robin Heinze:

Supposed to prevent man in the middle attacks.

Mazen Chami:

Person in the middle attack.

Robin Heinze:

Person in the middle attacks. Thank you.

Mazen Chami:

I mean, it's still, what is it? M-I-T-M. Whenever you search it, that's the acronym. Still that, whatever.

Robin Heinze:

Yeah. And then keep your tokens short-lived, refresh them often. I mean, that's not even React Native. That's just security 101 is keep your token length really short and refresh it when you need to. Keep your refresh tokens in secure encrypted storage, but your regular auth tokens, just keep their window of usefulness really short.

Mazen Chami:

Yeah. And one thing I will also mention is if you're going to give access to anything specifically write. I know, for example, if you're trying to give an MCP access to Claude, it'll ask you, do you want read, write access? And I believe search also. Make a conscious decision on if you are going to give it the right permissions. Why are you giving it the right permissions? Do you need it to write or do you need it just to read? Because if you need it to just read, just give it that access. Limit the surface area of what your tokens are doing within. I think that one's very important. And one other one, this one might be a lot dependent on what you do and how you work. But I believe Jamon mentioned this, but maybe create a standard user, not an admin user on your machine.

And that one is what's used for development. That way you can't really pseudo or do anything too crazy within your machine without the higher level permissions.

Robin Heinze:

Yeah.

Mazen Chami:

Stuff like simple

Robin Heinze:

Stuff. I think it's a smart thing to do. If you're not in a position to be able to have a dedicated separate machines for every project, I think that's going to be a lot more common to keep AI in its little box where it can't do anything bad.

Mazen Chami:

Cool. Yeah. Do all that and I think you can kind of control everything. Set your minimum release age, never use pull request target.

Robin Heinze:

Never use pull request target.

Mazen Chami:

Use security best practices. Make

Robin Heinze:

Sure you're using pnpm or turning off pre-install hooks.

Mazen Chami:

Yes.

Robin Heinze:

Update your React Native Community CLI package to version 20 if you haven't already.

Mazen Chami:

Do all that and you will be putting your best foot forward in any of these situations and we're praying for you all.

Robin Heinze:

And ourselves.

Mazen Chami:

And ourselves.

Robin Heinze:

I mean, huge grain of salt here. We're not security experts. We're React Native developers who are figuring this out and learning how to protect ourselves and our clients. And I think that's good for ... Everyone needs to have a baseline understanding of security principles at this point.

Mazen Chami:

Exactly. Awesome. Well, to kind of wrap us up, Robin, do you have a mom joke for us?

Robin Heinze:

I do. I'm really excited. I just got an award for being the most secretive person in the office and I can't tell you how much that means to me.

Mazen Chami:

See what you did there.

Robin Heinze:

That was Jamon's. He gets and give him credit for that one.

Mazen Chami:

Nice. That's awesome. Cool. Well, see you all next time. Bye.

Robin Heinze:

All right. Thanks for listening. Bye.

Jed Bartausky:

As always, thanks to our editors, Tyler Williams and Jed Bartausky, our marketing and episode release coordinator, Justin Huskey, and our guest coordinator, Mazen Chami. Our producers and hosts are Jamon Holmgren, Robin Heinze, and Mazen Chami. Thanks to our sponsor, Infinite Red. Check us out at infinite.red/radio. A special thanks to all of you listening today. Make sure to subscribe to React Native Radio on all the major podcasting platforms.