How to obfuscate my react-native JS code? I have set the following in my build.gradle file:

release {
      minifyEnabled true
      proguardFiles getDefaultProguardFile("proguard-android.txt"), "proguard-rules.pro"

Here is my proguard-rules.pro file (default):

# Add project specific ProGuard rules here.
# By default, the flags in this file are appended to flags specified
# in /usr/local/Cellar/android-sdk/24.3.3/tools/proguard/proguard-android.txt
# You can edit the include path and order by changing the proguardFiles
# directive in build.gradle.
# For more details, see
#   http://developer.android.com/guide/developing/tools/proguard.html

# Add any project specific keep options here:

# If your project uses WebView with JS, uncomment the following
# and specify the fully qualified class name to the JavaScript interface
# class:
#-keepclassmembers class fqcn.of.javascript.interface.for.webview {
#   public *;

But still after unzipping the apk I can find my JS components name, variables and url's

As your React Native JavaScript code is built upon native code for Android and iOS, an entire obfuscation process would consider all three codebases:

Obfuscate Java code for Android

Fortunately your project already includes the Proguard obfuscator, which can be enabled as following:

  1. Update your release configuration in the build.gradle file located in android/app/ folder:

    def enableProguardInReleaseBuilds = true
    android {
        // other config omitted for brevity
        buildTypes {
            release {
                debuggable false
                shrinkResources enableProguardInReleaseBuilds
                zipAlignEnabled enableProguardInReleaseBuilds
                minifyEnabled enableProguardInReleaseBuilds
                useProguard enableProguardInReleaseBuilds
                setProguardFiles([getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'])
  2. Enable ProGuard obfuscation and edit rules accordingly in proguard-rules.pro file located in android/app/ folder.

    The following line of code needs to be commented out (add # at beginning of line):


    At this stage building the release version of your Android app should contain obfuscated Java code. Check it by analysing your APK, where you should find function calls such as a, b instead of the their actual names.

Code above referenced from Maria Korlotian's Medium post. Check also latest default React Native ProGuard configuration from GitHub repository.

From Android 3.3 beta onwards, a more optimised obfuscator called R8 can be used.

Obfuscate Objective-C code for iOS

There is no built-in library in the iOS project that will obfuscate your code, therefore an external package has to be used. PPiOS-Rename and ObjC-Obfuscator are two options here. The detailed documentation can be found in their GitHub repositories.

Obfuscate JavaScript code

This would be the most important part of the obfuscation as the our actual code is written in JavaScript. The react-native-obfuscating-transformer npm package can be used here:

  1. Add the package to your project

    npm install react-native-obfuscating-transformer
  2. Add / update the CLI configuration in rn-cli.config.js at the root of your project, where android and ios folders reside.

    module.exports = {
     getTransformModulePath() {
       return require.resolve("./transformer")

    Create this file if it does not exist yet.

  3. Create the transformer.js file also at the root and specify configuration options as appropriate:

    const obfuscatingTransformer = require("react-native-obfuscating-transformer");
    module.exports = obfuscatingTransformer({
        /* Insert here any required configuration */

    Pay attention especially to the scope of the obfuscation process, which by default targets only files in src/ folder (node_modules is excluded by default).

Having all the above stated, obfuscating your app will not make it inherently secured – although security and obscurity can be better than only the former, there are many other security enhancements (if not requirements) that can be implemented in a React Native app. This includes storing sensitive information in secure storage (Keystore in Android / Keychain in iOS), implementing certificate pinning if appropriate, and others.

Other useful links:

  • 1
    are there any other javascript obfuscation tools apart from react-native-obfuscating-transformer as this has issues – Samyak Upadhyay Apr 03 '19 at 18:50
  • @SamyakUpadhyay have you tried opening an issue in GitHub in that regard? This is the only one I know about for React Native specifically, which is based on [`javascript-obfuscator`](https://www.npmjs.com/package/javascript-obfuscator). – Siavas May 08 '19 at 21:13
  • @Siavas how can i know my apk is obfuscate? – Ottoh Hidayatullah Apr 01 '20 at 12:20
  • @Siavas Can you tell me how to check the result of my obfuscate code ? – Ottoh Hidayatullah Apr 02 '20 at 03:14
  • @OttohHidayatullah after you compile the APK, analyse it and check the classes.dex file inside the APK. The methods from your code should be replaced by letters such as 'a', 'b', etc. The [image](https://medium.com/@angelhiadefiesta/obreverse-engineering-apks-guide-to-see-if-obfuscation-works-64d56f18ec12) in this post shows an example. – Siavas Apr 04 '20 at 12:19
  • When we build a react native project to native app (example android), I think we don't need obfuscate Javascript code because the built app (apk) does not include Javascript code? – Robin Huy Jun 24 '20 at 04:41
  • 1
    @RobinHuy actually the native app still contains the JavaScript code. You would be able to observe that when you get errors, for example, if the app was built for development. This generally called "bridging" architecture is rather unique to React Native. [This answer](https://stackoverflow.com/questions/41124338/does-react-native-compile-javascript-into-java-for-android) covers that quite concisely while the [linked post](https://hackernoon.com/understanding-react-native-bridge-concept-e9526066ddb8) would give you an extensive description of the concept. – Siavas Jun 25 '20 at 08:45
  • Hi @Siavas, I did the exact same thing for code obfuscation. But the obfuscation seems doesn't work when I check the bundle.js. I have created a question to StackOverflow for that. Could you check, please? Here is the link --> https://stackoverflow.com/questions/64265280/how-to-obfuscate-react-native-bundle-js-in-ios – Halil İbrahim Özdoğan Oct 08 '20 at 15:15

The above answer by @Siavas covered most of the things however the metro plugin react-native-obfuscating-transformer doesn't seems to be obfuscating the index.android.bundle, you can try obfuscator-io-metro-plugin this seems to be working fine. it is also based on javascript-obfuscator.

you need to include the following config in metro.config.js

const jsoMetroPlugin = require("obfuscator-io-metro-plugin")(
    // these option are obfuscation options from javascript-obfuscator
    compact: false,
    sourceMap: true,
    controlFlowFlattening: true,
    controlFlowFlatteningThreshold: 1,
    numbersToExpressions: true,
    simplify: true,
    shuffleStringArray: true,
    splitStrings: true,
    stringArrayThreshold: 1,
    runInDev: false /* optional */,
    logObfuscatedFiles: true /* optional generated files will be located at ./.jso */,
module.exports = {
  transformer: {
    getTransformOptions: async () => ({
      transform: {
        experimentalImportSupport: false,
        inlineRequires: false,
shubham jha
