Security of Expo

#1

Is there an article talking about the security of expo?

Lets say you publish to play / app store. First run of your app will download JS from wherever expo hosts your JS. What if there is a man in the middle? Is it possible for that middle man to add JS code?

#2

@qmitchell I think you are probably looking for something like this Production deployment on own server

As Expo host your code there is no reason they can’t add or replace your code that I can think of. I am 100% sure they won’t do that but it is possible.

#3

good question!

@Expo: is the bundle which is downloaded sign by you and verified before replacing it inside expo?

1 Like
#4

@andymac4182 That is helpful, since that is one aspect. Even if I host it on my own server though, is there anything stopping a man in the middle from modifying JS?

#5

We do two main things to secure Expo apps:

a) We sign the app manifest using public/private key encryption. This ensures that in order to even load an experience at all on the phone, it has to be signed by our private key.
b) we use HTTPS for everything, and rely on the mechanics of HTTPS to prevent man-in-the-middle attacks.

Man-in-the-middling Expo would require an attacker man-in-the-middling HTTPS, in addition to somehow re-signing the manifest with our private key, which of course they wouldn’t have access to.

3 Likes
#6

@skevy thanks!! Sounds great to me. if we at some point ‘exp detach’, is this functionality still there? I’m always a little confused on exactly what we lose out on if we ‘exp detach’.

Does everyone have the same private key or is a new private key generated on project creation? Where can we take a look at our key to determine uniqueness? Just in case we forked from another project, I wonder if we don’t have a unique key.

#7

I believe bundle validation is turned on in Android by default. You can enable bundle validation on iOS with these instructions: https://docs.expo.io/versions/v15.0.0/guides/advanced-expokit-topics.html#verifying-bundles-ios-only.

Note that even for a detached app without bundle validation, an attacker would still need to MITM the TLS connection to S3, which is no small feat since we rely on the OS’s certificate validation. While I’m not an expert in the field, I suspect that at the point where you can MITM S3 on a device you probably already have full access to the device’s filesystem.

1 Like
#8

Ok thx for the link. Btw if someone gets access to your phone for a minute it’s real easy to install a certificate so they can decrypt your https traffic as a proxy.

#9

@skevy is it only the manifest that is signed? What if MITM wanted to change just a source file. They could then by just breaking HTTPS?

#10

Very relevant question, any clarification @skevy ? :slight_smile:

1 Like
#11

Currently, just the manifest is signed. The manifest includes a content-addressed URL for the bundles on the CDN we use (currently CloudFront). If an attacker were able to MitM TLS traffic to CloudFront then they hypothetically would be able to change the JS loaded by your application. In the future we expect to do signing of bundles in addition to signing the manifest.