The EAS Update risk: Mitigating man-in-the-middle attacks

One of Expo's most powerful features is EAS Update, which allows you to send code updates directly to users' devices without going through the App Store or Google Play review process. However, this creates a major security concern: over-the-air (OTA) update hijacking.

If your update pipeline is not configured to use cryptographic signatures, an attacker who intercepts the network traffic can serve a malicious JS bundle to your app. The app will execute this bundle, leading to remote code execution (RCE) or user credential theft.

To secure EAS Update, you must enable code signing. This involves generating a private key on your build machine to sign your updates and configuring the public key inside your app's native code to verify the signature before running any update.

Pentest finding

Leaked Expo token allows code takeover

During an audit of a consumer wallet built on Expo, we recovered an Expo access token from an open GitHub repository. Using this token, we logged into their EAS portal and pushed a patched update bundle. The update redirected all user transaction requests to our logging backend.

Exposing variables in app.json and app.config.js

Developers often use extra variables inside app.json to store configuration values:

// app.json
{
  "expo": {
    "name": "My Wallet",
    "extra": {
      "backendUrl": "https://api.production.com",
      "thirdPartyApiKey": "12345-exposed-key" // VULNERABLE
    }
  }
}

These variables are bundled directly into the compiled application. During a penetration test, we extract the configuration file from the package assets and read all variables in plaintext.

Never store API secrets, database passwords, or staging keys in your Expo configuration files. Use environment variables during build time only for public configurations, and keep all secret keys on the server.

Expo Security Checklist

If your application uses Expo, verify these defensive items:

  1. Enforce EAS Code Signing: Configure code signing certificates to verify all update packages before they run on customer devices.
  2. Secure SecureStore API: Use Expo's expo-secure-store module to save sensitive session values. It uses Keychain on iOS and KeyStore on Android. Never use AsyncStorage.
  3. Clean Build Artifacts: Verify that no local configuration files (like .env) are accidentally included in your final package asset directories.

Get your Expo application audited

We specialize in identifying configuration issues and logical flows in cross-platform integrations. We will decompile your Expo bundles, check your update configurations, and audit your backend endpoints.

Book an Expo Pentest