Why React Native apps need specialised pentesting
A standard mobile app pentest that only runs automated scanners will miss every React Native-specific vulnerability. The JavaScript bundle, the Hermes bytecode, the bridge between JS and native — these require manual analysis with RN-specific tooling. If your previous pentest vendor didn't mention any of these, they likely treated your app as a black box and missed the most critical attack surface.
We have tested dozens of React Native fintech apps across Nigeria. The same classes of vulnerability appear consistently, regardless of whether the team is using Expo, bare React Native, or a custom CLI setup.
What we test in a React Native penetration test
JavaScript bundle analysis
We extract the index.android.bundle or Hermes bytecode from your APK/IPA and analyse it for hardcoded API keys, secret tokens, internal API endpoints, business logic, and cryptographic implementations. Even with Hermes enabled, we use specialised decompilers like hbctool and hermes-dec to recover readable logic.
Bridge & native module testing
The React Native bridge passes serialised messages between the JavaScript realm and native modules. We test for injection through deep links, push notification payloads, and WebView interactions that can cross the bridge boundary and execute privileged native operations — biometric bypass, camera access, or file system reads.
Local storage & credential exposure
We check every local storage mechanism: AsyncStorage (unencrypted SQLite), MMKV, SecureStore, react-native-keychain, and SharedPreferences. In Nigerian fintech apps, we consistently find session tokens, BVN data, and transaction PINs stored in plaintext AsyncStorage instead of the hardware-backed Keystore/Secure Enclave.
Network & SSL pinning bypass
We test your certificate pinning implementation using Frida and Objection. React Native SSL pinning libraries like react-native-ssl-pinning and TrustKit each have known bypass techniques. We verify whether your implementation holds against real-world bypass scripts and whether fallback behaviour is secure.
Authentication & session management
We test biometric authentication flows (fingerprint and face ID), PIN-based login, token refresh logic, and session timeout behaviour. Common RN findings include biometric prompts that can be bypassed by hooking the TouchID or BiometricPrompt native module response, and refresh tokens that never expire.
API endpoint testing
The JavaScript bundle reveals every API endpoint your app communicates with. We extract these and test each one for BOLA/IDOR, broken authentication, mass assignment, rate limiting gaps, and business logic flaws — the same payment manipulation vulnerabilities we find in every Nigerian fintech backend.
Real findings from React Native pentests
These are anonymised findings from recent React Native penetration tests we conducted on Nigerian fintech applications:
Paystack secret key hardcoded in JavaScript bundle
A lending platform's React Native app contained the Paystack secret key directly in the JS bundle. The key was not obfuscated and could be extracted by unzipping the APK. With this key, an attacker could initiate refunds, view all transaction history, and create fraudulent charges against any customer. The key had been committed by a developer who used it for testing and never removed it.
Biometric authentication bypass via Frida hook
A digital wallet's fingerprint login could be bypassed by hooking the ReactNativeBiometrics.simplePrompt callback and forcing it to return {success: true}. The app did not verify the biometric result server-side — it simply trusted the client response. An attacker with physical access to a stolen phone could access the wallet without the owner's fingerprint.
Full user database enumerable via sequential IDs in API
By analysing the API endpoints extracted from the JS bundle, we discovered the user profile endpoint used sequential integer IDs (/api/users/1, /api/users/2, etc.) with no authorisation check. We could enumerate every user's full name, email, phone number, BVN, and account balance. The endpoint was not visible in the app's UI — it was only discoverable through bundle analysis.
Building a fintech app with React Native? We test the attack surfaces that generic pentest vendors miss — JS bundles, Hermes bytecode, bridge injection, and RN-specific storage flaws.
Book a React Native PentestWhy automated scanners miss React Native vulnerabilities
Tools like MobSF, Nessus, and Qualys are useful for surface-level checks, but they have fundamental limitations with React Native applications:
- They cannot read Hermes bytecode. If your app uses the Hermes engine (which most modern RN apps do), automated scanners see binary data and skip it entirely. We manually decompile Hermes bytecode to recover your application logic.
- They cannot follow the JS bridge. Scanners test the native layer and the network layer independently. They cannot trace a payload from a deep link, through the bridge, into a native module, and back. Manual testing is the only way to find bridge injection vulnerabilities.
- They cannot test business logic. A scanner cannot understand that your lending app's interest rate calculation happens client-side and can be manipulated. It cannot detect that your transfer flow allows negative amounts. These require a human tester who understands fintech payment flows.
- They generate false positives on RN boilerplate. React Native bundles contain thousands of lines of framework code. Automated scanners flag framework internals (like the Metro bundler debug endpoint) as vulnerabilities when they are not present in production builds.
Our React Native testing methodology
Every React Native pentest follows our structured methodology, adapted for the specific risks of the RN architecture:
- Reconnaissance: Extract the APK/IPA, decompile Hermes bytecode or read the plaintext bundle, map all API endpoints, identify third-party SDKs and libraries.
- Static analysis: Search for hardcoded secrets, analyse cryptographic implementations, review authentication flows in the JS code, identify insecure storage patterns.
- Dynamic analysis: Attach Frida to the running app, hook native modules, intercept bridge communications, bypass SSL pinning, test runtime protections (root/jailbreak detection, debugger detection).
- API testing: Use the endpoint map from the bundle to test every API for authorisation flaws, injection, rate limiting, and business logic vulnerabilities.
- Reporting: Deliver a detailed report with CVSS-scored findings, proof-of-concept evidence, and prioritised remediation guidance specific to React Native.
React Native vs Expo: testing differences
If your app uses Expo, additional attack surfaces exist. Expo's Over-The-Air (OTA) update mechanism can be intercepted if update signing is not properly configured. Expo Go development builds occasionally ship to production, exposing the full development server. We test for these Expo-specific risks alongside the standard React Native test scope. See our dedicated Expo security testing guide for details.
Frequently asked questions
How much does a React Native penetration test cost in Nigeria?
A React Native mobile app pentest typically costs between ₦1.5M and ₦4M depending on scope. Factors include the number of API endpoints, whether you need both iOS and Android tested, and whether the backend is in scope. We provide a fixed-price quote after a free scoping call.
Can you pentest a React Native app without the source code?
Yes. React Native apps bundle JavaScript in plaintext (or Hermes bytecode), which we can extract and analyse directly from the APK or IPA. We typically conduct grey-box tests where we have authenticated user accounts but no source code access, simulating a real attacker with a stolen device.
What is the difference between pentesting a React Native app and a native Android app?
React Native apps expose a JavaScript bundle that can be read or decompiled, making reverse engineering significantly easier than native Kotlin/Swift apps. The JavaScript bridge creates an additional attack surface that doesn't exist in native apps. We use RN-specific tools like Hermes decompilers alongside standard mobile testing tools like Frida and Objection.
How long does a React Native penetration test take?
A typical React Native mobile app pentest takes 2-3 weeks. This includes mobile client testing (both Android and iOS builds), API endpoint testing, and reporting. We provide daily Slack/Teams updates throughout the engagement so your team can start fixing critical issues immediately.
Related reading
Blog: React Native Security Pitfalls · Expo Security Testing · Hardcoded API Keys in Mobile Apps · SSL Pinning Bypass
Guides: Mobile App Pentesting Guide · OWASP for Fintech
Services: Penetration Testing · API Security Testing