Introduction
Code obfuscation is an action of transforming your readable source code into a much more unreadable code in order to prevent hacker from exploiting bug or leak. But should you apply to your react native project? Here is the reason why you should not.
The dialogue
When developing react native you may be in a case that your client would like to apply obfuscation. You may think it is reasonable, and there many open source libraries that support obfuscation, such as obfuscator-io-metro-plugin. You apply it to your project. Everything seems to be good.
Until one day, you open a crash diagnose tool, such as Sentry or Instabug, and find there is a bug or crash on it. You tell yourself: it’s ok, I can open issue detail and see the location of the issue in your code and fix it quick. You open issue detail, and …
Hey, that’s weird, these code are total fine. Why the heck are they crashing at this line of code?
You don’t understand, you try to investigate to figure out where exactly the issue is. Some days later, while sitting on your desk, scratching your head, the cause of this problem suddenly pops out:
It’s because of the obfuscator I’ve installed some months ago!
Great! Now see what I mean? The obfuscator has messed the source code so now we cannot find which line of the code is wrong anymore.
But perhaps there is other libraries that also support both obfuscation and mapping for crash diagnosing tool?
Yeah you’re right. Unfortunately these libraries are commercial and has a very high price for you to afford. For example, JScrambler offers a price at 5000$/year to use its obfuscator. So, can your client afford this?
Oh boy, that’s too high. I don’t think my client can. What should I do?
Does your react native use Hermes for compiling js code?
Of course! It comes as the default compiler js code of react native.
Then you don’t need to use obfuscator anymore. Hermes compiles js code into a binary file which is almost impossible to transform into readable code. The best reverse engineer tool I found so far can only transform the binary file into assembly code which is a very low programming language and is almost unreadable. Because of that you don’t need to apply obfuscation to your react native project any longer. See the image below.
Thank you man! You save my day!
You’re welcome!
Wraps up
So having been though a talk-to-myself dialogue. You must have figured out what I want to say: if you are developing a react native project, for the sake of maintenance do not use obfuscator. Unless you’re rich and you want to make your code as secure as possible then you can go with commercial libries such as JScrambler, JSDefender. Make your own choice and live with it. Hope this helps!