Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Software Security] How does CodePush authenticate apps? #566

Closed
ACCTFORGH opened this issue Oct 16, 2016 · 3 comments
Closed

[Software Security] How does CodePush authenticate apps? #566

ACCTFORGH opened this issue Oct 16, 2016 · 3 comments

Comments

@ACCTFORGH
Copy link

ACCTFORGH commented Oct 16, 2016
edited
Loading

For security reasons, how does CodePush authenticate the app that it's sending the bundle to? That is, does any app with the key receive the pushed js bundle? If so, it will pose a security risk as the key is stored in plaintext and can be leaked at the client app side.

Additionally, I am also curious where CodePush stores the downloaded js bundle. When I checked the app folder in Android, I wasn't able to find any downloaded bundle there. Reason to ask this question is whether the downloaded bundle is securely stored.

Thanks!
@richardhuaaa
Copy link
Contributor

richardhuaaa commented Oct 17, 2016
edited
Loading

Hi @ACCTFORGH, yes - any app with the key can receive updates. I don't agree that it's a security risk though - the deployment key only gives read access to the latest updates explicitly released on a deployment, and hence it's only as secret as the source is. If you have a copy of the app, and the capability to reverse engineer it to get its deployment key, then you have the same reverse engineering capability to get the source, and the deployment key doesn't give you anything on top of what you already have (you could just keep getting updates on your copy of the app and then reverse engineering it to get the source). Does this make sense?

I gather that you're primarily concerned about keeping your source code secret from people who have downloaded your app. In this case, I believe this is not supported by React Native itself - see this discussion: facebook/react-native#1093. As mentioned in that issue, code on the client is not secret - you should aim to keep any sensitive information on the server.

Regarding your other question, CodePush stores the downloaded js bundle in the Android assets folder, so it's only as secure as the Android assets system is. Again, if your goal is to hide your source from people who have already downloaded a copy of your app, I'm not sure if React Native is the right platform for you (if it's even achievable on any platform).

@ACCTFORGH
Copy link
Author

@Silhouettes Thanks for the reply. Yes, I think what you said makes sense. Some more sophisticated obfuscation from React Native side would be helpful to enhance security.

@richardhuaaa
Copy link
Contributor

@ACCTFORGH, thanks for that! I'm going to close this now, but please feel free to ask any additional questions.

@GantMan GantMan mentioned this issue Jun 18, 2017
Merged
@MatheusRochaVipRed MatheusRochaVipRed mentioned this issue Aug 21, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@richardhuaaa @ACCTFORGH