Security Checklist for Mobile Releases

Before each production release, a short security pass can prevent common issues. Here’s a checklist we use for React Native and Expo apps.

Secrets and Environment

Ensure no API keys, tokens, or secrets are committed. Use environment variables and secure storage (e.g. Expo SecureStore) for sensitive values. Run a quick search for high-entropy strings and common secret patterns in the repo before release.

Network and Data

Confirm all production API calls use HTTPS. Validate certificate pinning if you use it. Check that sensitive data is not logged (strip PII and tokens from logs). Review what’s cached and ensure nothing sensitive is stored in plaintext.

Auth and Permissions

Verify auth tokens are stored securely and refreshed correctly. Confirm app permissions (camera, location, etc.) are still justified and that you’re not requesting more than needed. Test logout and session expiry so tokens are cleared.

A few minutes on this checklist per release reduces the risk of a preventable security incident.