Unveiling React Native Source Maps with CodePush API

When a React Native application is built, a source map and application bundle is generated. Source maps are files that link the original source code of the (front-end) application (before it was built or bundled using tools such as Webpack). They are not interpreted by the client and are often used by error tracking tools such as Sentry or Bugsnag to provide more detail in generated bug reports.

Source maps can help developers debug their applications since they can be interpreted by the browser's developer tools (allowing you to use the debugger to step through your unbundled source code). They are usually published in production for these reasons.

Exposed source maps are not a vulnerability (nor a direct risk, in my opinion), but rather provide crucial functionality for developers. However, as a security researcher/pentester, whenever you are on a (black-box) security assessment of a React Native app, you probably want to avoid having to read the minified code to analyze the (front-end) application. To aid your reconnaissance process, retrieving the source maps of the application might be a good idea.

Before React Native 0.60, the source map was included in the assets folder of the release APK by default. Since then, React Native does not automatically place the generated source map in the assets folder anymore. This means you usually end up with a (minified) bundle of the application, in case the React Native app was built using version 0.60+.

CodePush

React Native applications commonly use Microsoft's Code Push to ensure OTA updates to their mobile applications. This approach has many advantages as developers could release new versions of their RN app, without requiring the user to update the app through the App Store (unless new native code is added to the app).

Contradictory to React Native 0.60+, CodePush includes the source maps of the application by default in the release bundle when users provide the -output-dir flag with appcenter's CLI tool.

The source maps are uploaded to CodePush's service, and while they may also be available in the application's data directory when the application communicates/retrieves a newer version of the app via CodePush, fetching them through the API may help you to quickly diff different versions of the application.

CodePush API

By using the deployment key (client-side key, supposed to be public, can be found in 'application resources') of the released application, it is possible to retrieve all published and active CodePush releases (which includes the source maps, if published) through the update_check API endpoint. The download_url property will contain a link to the ZIP archive of the release.

A simple cURL request with a deployment_key and app_version parameter is all you need.

If you are unable to retrieve the version number of the application, you can provide an invalid version number. The response will return the latest (valid) version number of the application.

curl 'https://api.appcenter.ms/v0.1/public/codepush/update_check?deployment_key=DEPLOYMENT_KEY_OF_APP&app_version=1.0.0' \
  -H 'accept: application/json'

Update: As of a release in November 2022, appcenter CLI does not seem to generate source maps by default anymore: https://github.com/microsoft/appcenter-cli/pull/2099.