OTA updates security


#1

Hello all,

I recently gave a talk on the wonders of React Native (and Expo) to some clients, and was asked about the security of OTA updates. I realized that I’ve always just assumed that there was some signing process involved when fetching bundles when using Expo’s OTA update system, but that I never actually checked.

Can someone clarify which security measures have been taken to assure that the bundle that is downloaded onto the user’s phone is authentic and is not from, say, a MITM? :slight_smile:

Thanks for an awesome platform.


#2

Hi! I don’t have time to write something in-depth, but it would be a very sophisticated attack to MitM the updates. We fetch all published bundles over TLS, and also have a signing process for app contents fetched from our servers.


#3

See also: Security of Expo


#4

Thanks for getting back to me @dikaiosune - I’ll hook into the other discussion.


#5

Certainly a righteous quest also for code push. I wonder what their security is also.

Take a look at :