Security, Signing, and Compliance
App integrity, OTA code signing, credential management, and enterprise release controls.
Key takeaways
- Expo enterprise security spans four boundaries: store signing, OTA code signing, secrets, and runtime config.
- EAS Update code signing verifies each update against a certificate embedded in the app before it is applied.
- Generate OTA private keys outside the repo, store them in KMS or a password manager, and rotate certificates before expiry through a binary release.
- Classify EAS environment values by visibility:
EXPO_PUBLIC_*ship in the client bundle, while Apple keys, service account JSON, and signing keys stay secret. - Add Play Integrity, DeviceCheck/App Attest, certificate pinning, and deep link hijacking review to high-risk apps' threat model.
Security Boundaries
Expo enterprise security has four signing and trust boundaries.
| Boundary | Protects | Expo/EAS surface |
|---|---|---|
| Store signing | app binary integrity | EAS Build credentials, App Store and Play signing |
| OTA code signing | JS update integrity | expo-updates code signing, EAS Update |
| Secrets | build, submit, backend credentials | EAS environment variables, CI secrets |
| Runtime config | tenant, API endpoint, feature flags | app config, MDM managed config, remote config |
EAS Update Code Signing
EAS Update code signing verifies an update signature against a certificate embedded in the app before the update is applied.
npx expo-updates codesigning:generate \
--key-output-directory ../keys \
--certificate-output-directory certs \
--certificate-validity-duration-years 3 \
--certificate-common-name "Company Mobile"
npx expo-updates codesigning:configure \
--certificate-input-directory certs \
--key-input-directory ../keysOperating rules:
- Generate private keys outside the repo and store them in KMS or a password manager.
- Commit certificates when needed, but rotate them before expiry through a binary release.
- Include compromise, expiration, and personnel offboarding in the rotation runbook.
- Restrict signed update publishing to release managers and CI service accounts.
EAS Environment Visibility
| Value | Recommended visibility | Note |
|---|---|---|
EXPO_PUBLIC_API_URL | plain text | shipped in the client bundle |
| Sentry DSN | plain text or sensitive | still separate by environment |
| Apple API key | secret | submit/build jobs only |
| Android service account JSON | secret | never log |
| OTA signing private key path | secret | materialize only temporarily in CI |
App Integrity
High-risk internal, financial, and enterprise apps should add these items to the threat model:
- Android Play Integrity and iOS DeviceCheck or App Attest.
- False-positive policy for jailbreak/root detection.
- MDM managed app configuration validation.
- Certificate pinning scope and rotation plan.
- Deep link hijacking prevention through scheme and universal link review.
Release Approval Checklist
- EAS Build credential owner and rotation date confirmed.
- OTA code signing certificate expiration checked.
- Production EAS environment has no secret log exposure.
- sourcemap, dSYM, and mapping upload permissions are separated.
- Native runtime changes are not shipped as OTA-only updates.
- Rollback keys and certificates are not tied to a personal account.