oopsec

v0.1.0

Published

9 days ago

😬 Your app got caught. Security auditor for React Native apps — finds secrets, leaks & vulnerabilities before hackers do.

0High
0Medium
0Low

pythonsst

react-native security audit apk secrets vulnerability scanner opsec mobile-security owasp

"Turns out your React Native app has been walking around with its secrets exposed this whole time."

oopsec finds API keys, tokens, passwords, and security vulnerabilities in your React Native app — before hackers do. It even cracks open your APK to show you exactly what the outside world can see.

The Problem

When React Native builds your app, everything — including all your .env variables — gets bundled into a single unencrypted file inside the APK called index.android.bundle.

An APK is just a ZIP file wearing a disguise. Rename it. Unzip it. Walk right in.

oopsec does exactly that — so you can find the leaks before someone else does.

Quick Start

# Scan your project
npx oopsec

# The killer feature — scan your actual APK
npx oopsec --apk ./android/app/build/outputs/apk/release/app-release.apk

What It Finds

🔐 Secrets & API Keys (30+ patterns)

Firebase, AWS, Stripe, Google, GitHub, Slack, Twilio, SendGrid, PubNub, Supabase, Sentry, Algolia
Hardcoded passwords, JWT tokens, Bearer tokens, private keys
Generic API key and secret assignments

📱 React Native Specific Issues

AsyncStorage storing sensitive data (tokens, passwords) unencrypted
Cleartext HTTP URLs (non-localhost)
Unvalidated deep link handlers
console.log leaking sensitive data
WebView with JavaScript injection enabled
Sensitive data copied to clipboard
Unencrypted Realm/SQLite databases
Disabled SSL pinning

🏗️ Build Configuration

android:allowBackup="true" — lets anyone extract app data via USB
android:debuggable="true" — lets anyone attach a debugger
Cleartext traffic allowed in Android/iOS
Missing code obfuscation (ProGuard/R8)
Hardcoded keystore passwords
.env files not in .gitignore
iOS NSAllowsArbitraryLoads disabling ATS

📦 Dependencies

Known CVEs via npm audit
Risky packages in production (debugger tools, dotenv bundlers)
Outdated React Native versions with known vulnerabilities
Missing lockfiles

💣 APK Deep Scan (The Killer Feature)

Extracts JS bundle from APK — shows what hackers actually see
Detects source maps shipped in production (exposes entire codebase)
Cross-references: if a secret is in your source AND in the APK bundle, it's confirmed exposed
Scans all .js, .json, .env, .pem, .key files inside the APK

Usage

# Basic scan of current directory
npx oopsec

# Scan a specific directory
npx oopsec --dir /path/to/your/rn-project

# Scan an APK file
npx oopsec --apk ./app-release.apk

# JSON output (for CI/CD pipelines)
npx oopsec --json

# Fail CI if critical or high issues found
npx oopsec --fail-on high

# Run specific scanners only
npx oopsec --scanners source,config

# Verbose output
npx oopsec --verbose

Example Output

  oopsec v0.1.0
  Your app got caught.

  ❌ CRITICAL  Firebase API Key
               src/config.js:12
               Google Firebase API key — can access Firebase services

  ❌ CRITICAL  Firebase API Key [CONFIRMED IN APK]
               Found in APK JS bundle — 100% exposed to the world

  ❌ HIGH      Sensitive Data in AsyncStorage
               src/auth/login.js:45
               AsyncStorage is unencrypted. Use react-native-keychain instead.

  ⚠️  MEDIUM   Android Backup Enabled
               android/app/src/main/AndroidManifest.xml
               allowBackup="true" allows USB data extraction

  ✅ PASSED    Dependencies
  ✅ PASSED    Log statements

  Score: 35/100

  2 Critical  1 High  1 Medium

  Your app has critical security issues that must be fixed before shipping.

Use in CI/CD

GitHub Actions

- name: Security Audit
  run: npx oopsec --fail-on high --json > security-report.json

As a pre-commit hook

{
  "husky": {
    "hooks": {
      "pre-commit": "npx oopsec --fail-on critical"
    }
  }
}

Programmatic API

const { audit } = require('oopsec');

const report = await audit({
  projectDir: './my-rn-app',
  apkPath: './app-release.apk',
});

console.log(`Score: ${report.score}/100`);
console.log(`Critical issues: ${report.stats.critical}`);

Why oopsec?

"Oops" + "OpSec" (Operational Security).

Because shipping your API keys to the world was probably an oops. 😬

Every mobile app is a published book — once it's out there, anyone can open it and read every page. oopsec makes sure there's nothing worth reading.

Contributing

See CONTRIBUTING.md for details on adding new scanners and patterns.

License

MIT