Open design or security by obscurity

This principle relies on the secrecy of the inner workings of an application. With traditional web applications, a few implementations reside on the client side, hence, it is easier for the attacker to understand the logic and exploit it. Client-side code is easily reachable by attackers. Determining what should and shouldn’t be revealed in the client-side code is quite straightforward, at least with web applications. Find a balance—incorporate an open design, reveal only whatever is requisite on the client side, and do the heavy lifting securely on the server side.

But mobile applications do the heavy lifting on the client side (the mobile device), especially if using a hybrid framework such as React Native. So should this recommendation of an open design principle be taken with a grain of salt?

Yes. Mobile applications tend to move logic and data storage to the client side, so obscurity is more important here than in web applications. Though attackers will eventually get to whatever is obscured with enough time and resources, certain controls, such as the ones discussed in the previous section, will delay them.

Typically, a mobile application’s binary and data exist on the device, so obfuscating code in the application binary would make it harder for attackers to understand how the application works, thwarting targeted attacks. But mitigations should still be employed on the server side. It should also be noted that sole reliance on obfuscation is considered bad practice.

In typical React Native applications, in addition to native code and data, the JavaScript code also resides on the client side. Unfortunately, the methods that obfuscate native code don’t always work for JavaScript code, so choose wisely when selecting a React Native library for obfuscation. Ensure that the entire directory of React Native code is selected for obfuscation. Also, revisit the application design to prioritize what really needs to be done on the client side. Can the application afford to move a risky piece of logic or data to the server side without losing speed and efficiency? With respect to data, React Native libraries that help manage environment variables and constants such as APIs and server keys exist. However, it’s important to note whether they encrypt the data being stored or place access controls on the location of the data.