What are React Native Security Best Practices?

Security in React Native requires awareness of mobile-specific threats: 1. Secure storage: Never use AsyncStorage for sensitive data (tokens, keys, PII) — it's unencrypted and readable. Use: expo-secure-store (Expo) or react-native-keychain (iOS Keychain / Android Keystore — hardware-backed encryption). MMKV with encryption key for semi-sensitive data. 2. Certificate pinning: prevent man-in-the-middle attacks by pinning your server's TLS certificate. Even on compromised networks with fake certificates, the app rejects them: // react-native-ssl-pinning: fetch(url, { sslPinning: { certs: ["my-server-cert-sha256-hash"] } });. 3. Code obfuscation: Hermes compiles to bytecode (harder to read than JS). Additional obfuscation with ProGuard (Android). App binary inspection is still possible — never put secrets in app code. 4. Jailbreak/root detection: import JailMonkey from "jail-monkey"; if (JailMonkey.isJailBroken()) { // Refuse to run or limit functionality }. 5. API secrets: Never hardcode API keys, secrets, or passwords in app code — they're easily extracted from the binary. Use a backend that proxies calls needing secrets. Use environment-specific API keys with limited permissions. 6. Input validation: validate all user input on both client and server. Use parameterized queries to prevent injection. 7. Deep link validation: validate deep link parameters before using — don't blindly navigate based on URL params. 8. Data in transit: always use HTTPS; use certificate pinning for sensitive endpoints; never transmit secrets in URL params (logged by servers, captured by analytics). 9. Local data encryption: encrypt database (SQLCipher for SQLite) and secure-store for all sensitive persisted data. 10. App Transport Security (iOS): enforce ATS in Info.plist — disallows HTTP connections.