ScaleRocket/Mobile
ENFR

Security Overview

Mobile security fundamentals — what's different from web, app signing, secure storage, and threat models.

Security Overview

Mobile security differs significantly from web security. There is no Content Security Policy or CORS, but you gain app signing, hardware-backed secure storage, and a sandboxed environment.

Web vs Mobile Security

ConcernWebMobile
Code visibilityJavaScript is readable in browserBinary is compiled but can be decompiled
StorageCookies, localStorage (accessible)Keychain/Keystore (hardware-encrypted)
NetworkCORS, CSP headersCertificate pinning
DistributionDirect URLApp Store review process
IdentitySession cookiesApp signing certificates
PermissionsBrowser promptsOS-level permission system

Threat Model

Common mobile-specific threats:

  1. Reverse engineering — Attackers can decompile your APK/IPA to read code
  2. Man-in-the-middle — Network traffic can be intercepted on untrusted WiFi
  3. Device theft — Physical access to an unlocked device
  4. Jailbreak/root — Modified OS bypasses security sandboxing
  5. Insecure storage — Sensitive data stored in plain text

Security Checklist

Storage

  • Store auth tokens in expo-secure-store (not AsyncStorage)
  • Never store API secrets in the app bundle
  • Use environment variables for configuration, not hardcoded values
  • Clear sensitive data on sign out
import * as SecureStore from "expo-secure-store";

// Good — encrypted storage
await SecureStore.setItemAsync("auth-token", token);

// Bad — plain text storage
await AsyncStorage.setItem("auth-token", token);

Network

  • Use HTTPS for all API calls (never HTTP)
  • Implement certificate pinning for sensitive apps
  • Validate all server responses
  • Set request timeouts

Authentication

  • Use biometric authentication for sensitive actions
  • Implement session expiry and auto-refresh
  • Lock the app after inactivity
  • Support secure sign-out that clears all tokens

Code

  • Never embed API keys or secrets in JavaScript code
  • Use expo-constants for environment-specific configuration
  • Enable Hermes engine (compiles JS to bytecode, harder to read)
import Constants from "expo-constants";

// Good — from environment
const apiUrl = Constants.expoConfig?.extra?.apiUrl;

// Bad — hardcoded
const apiUrl = "https://my-api.com/secret-key-here";

Build & Distribution

  • Sign release builds with proper certificates
  • Enable ProGuard (Android) for code obfuscation
  • Use App Store and Play Store as the only distribution channels
  • Enable Play Integrity / App Attest for API protection

ScaleRocket Mobile Defaults

Out of the box, ScaleRocket Mobile includes:

FeatureImplementation
Token storageexpo-secure-store (Keychain/Keystore)
Auth flowSession auto-refresh, secure sign-out
HTTPSAll API calls over TLS
BiometricsOptional via expo-local-authentication
Environment configVia app.json extras

Next Steps

Haptics

Using expo-haptics for tactile feedback on button presses, success confirmations, and error alerts.

Secure Storage

Using expo-secure-store for tokens, why AsyncStorage is unsafe for sensitive data, and platform storage mechanisms.

On this page

Security OverviewWeb vs Mobile SecurityThreat ModelSecurity ChecklistStorageNetworkAuthenticationCodeBuild & DistributionScaleRocket Mobile DefaultsNext Steps