- RNSEC v1.3.0 adds 17 new static-analysis rules for React Native and Expo, including Android StrandHogg task hijacking, iOS pasteboard leaks, Expo OTA code-signing gaps, and OAuth PKCE bypass.
- Total catalogue jumps from 68 to 85+ rules.
TL;DR
On 2026-04-19, RNSEC shipped v1.3.0, adding 17 new security rules across 8 scanner modules. The total rule catalogue grows from 68 to 85+. Highlights: Android StrandHogg task hijacking detection, iOS pasteboard data leaks, Expo OTA code-signing misconfig, OAuth PKCE bypass, unencrypted Realm/SQLite, and DIY crypto detection. Install and scan in one line: npx rnsec scan.
What's new in v1.3.0
RNSEC is a zero-configuration static-analysis scanner built for React Native and Expo apps. v1.3.0 expands its coverage into real-world mobile attack paths — the kind of misconfiguration that enables cross-app hijacking, OTA supply-chain injection, and silent clipboard exfiltration.
The release also ships an expanded secure/vulnerable example suite, a new 731-line rule test file (tests/rules.test.ts), and a false-positive fix for IOS_DATA_PROTECTION_MISSING that previously flagged against Apple's own guidance.
Why it matters
Most security scanners treat mobile apps like generic JavaScript. They miss the platform-specific ways a React Native or Expo app actually gets compromised: an Android activity with a misconfigured taskAffinity lets a malicious app intercept your login screen (StrandHogg). An Expo OTA update served over HTTP lets a network attacker inject code straight into production. A Linking.openURL() call on an unvalidated URL turns your app into a deep-link confused-deputy.
v1.3.0 is the first RNSEC release where the rule catalogue explicitly maps to these mobile-native attack classes rather than porting web-era lint rules.
Technical facts
Seventeen new rules, grouped by scanner module:
| Module | Rules | Sample rule ID |
|---|---|---|
| React Native / Expo | 5 | EXPO_AUTH_SESSION_NO_PKCE (HIGH) |
| Storage | 3 | UNENCRYPTED_SQLITE_DATABASE (HIGH) |
| Network | 2 | INSECURE_WEBSOCKET (MED) |
| Config | 2 | EXPO_UPDATES_INSECURE_URL (HIGH) |
| Android | 3 | ANDROID_TASK_AFFINITY_VULNERABILITY (MED) |
| iOS | 2 | IOS_INSECURE_PASTEBOARD_USAGE (MED) |
| Cryptography | 1 | CUSTOM_CRYPTO_IMPLEMENTATION (HIGH) |
| Authentication | 1 | MISSING_SESSION_TIMEOUT (MED) |
Notable individual checks:
- StrandHogg detection — flags
android:taskAffinityon activities, which lets a malicious app hijack your task stack. Empty task affinity is recognised as the secure config. - Expo OTA hardening — catches missing
codeSigningCertificate, plushttp://update URLs inapp.json. Both are MITM-to-RCE paths in production Expo apps. - OAuth PKCE bypass —
EXPO_AUTH_SESSION_NO_PKCEonly triggers whenusePKCE: falseis explicitly set, avoiding false positives on Expo's safe default. - Unencrypted databases — flags Realm and SQLite opens that store auth, payment, credential, or medical data without
encryptionKeyor SQLCipher. - Custom crypto detection — AST-matches function names like
xorCipher,caesarEncrypt,simpleHash,base64EncodePassword, but skips wrappers around CryptoJS / tweetnacl / forge.
Scans still finish in under 100 ms on most projects. All analysis runs locally — zero telemetry, zero external API calls.
Comparison to previous releases
| Version | Date | Rules added | Total | Theme |
|---|---|---|---|---|
| v1.0.0 | 2026-01-16 | 53 | 53 | Initial release |
| v1.1.0 | 2026-01-18 | +16 / -11 | 66 | Keystore, TLS, jailbreak, integrity |
| v1.2.0 | 2026-03-05 | +2 | 68 | Supply-chain postinstall + obfuscated eval |
| v1.3.0 | 2026-04-19 | +17 | 85+ | Cross-origin / task hijacking / OTA / OAuth |
This is the largest per-release rule expansion since v1.1.0, and the first that explicitly targets mobile-native attack classes rather than portable web rules. It's also the first release with a dedicated tests/rules.test.ts harness — a signal that the rule set is stabilising.
Use cases
- CI pre-merge checks. Run
rnsec scan --changed-files main --mdinside GitHub Actions, GitLab CI, Bitbucket Pipelines, Azure DevOps, Jenkins or EAS. Exit code 1 on any HIGH finding, with auto-updated PR comments showing scan-to-scan diffs. - Fintech and banking apps. The Realm/SQLite encryption + session timeout + root detection + pasteboard checks cover the common gaps regulators cite in mobile audits.
- Expo OTA rollouts. Run RNSEC in the EAS Build pre-publish hook to refuse builds that ship OTA without code signing or over HTTP.
- OAuth / social login flows. PKCE checks and insecure deep-link handling catch the exact bugs that cause mobile account-takeover CVEs.
Limitations & pricing
RNSEC is free and MIT-licensed. There's no paid tier, SaaS dashboard, or hosted scanner — everything runs on your machine or CI runner. That keeps it fast and private, but it also means:
- Static-only. Runtime-injected payloads, Hermes bytecode tampering, and reflection-based secrets are out of scope.
- Rule scope is mobile-specific. Server APIs, backend infra, and native C++ libs aren't covered.
- Node.js 18+ required. The official v1.3.0
CHANGELOG.mdentry wasn't live on release day — NEW_RULES_v1.3.0.md is the canonical spec.
What's next
Judging from the commit graph, the author (@adnansahinovich) is steering RNSEC toward deeper CI/CD integration (richer PR comments, scan-to-scan trend analytics) and broader Expo coverage (plugins, config plugins, EAS hooks). Supply-chain rules shipped in v1.2.0 and cross-origin/task-hijacking rules in v1.3.0 suggest Hermes bytecode scanning or dynamic-link tampering checks are plausible next steps.
For now, the practical move is simple: bump your rnsec dev-dep to ^1.3.0, wire npx rnsec scan --md into your PR job, and fix the new HIGH findings before the next store submission.
Sources: npm, GitHub, NEW_RULES_v1.3.0.md, rnsec.dev.
